Helm Vulnerability: Client Unpacking Chart that Contains Malicious Content

14 Jan 2019

Security researcher Bernard Wagner of Entersekt discovered a vulnerability in the Helm client, impacting all versions of Helm between Helm >=2.0.0 and < 2.12.2. Two Helm client commands may be coerced into unpacking unsafe content from a maliciously designed chart.

A specially crafted chart may be able to unpack content into locations on the filesystem outside of the chart’s path, potentially overwriting existing files.

No version of Tiller is known to be impacted. This is a client-only issue.

The following Helm commands may unsafely unpack malformed charts onto a local folder: helm fetch --untar and helm lint some.tgz.

We are unaware of any public exploits caused by this issue.

ChartMuseum Vulnerability: Authorization Bypass

14 Jan 2019

Security researcher Bernard Wagner of Entersekt discovered a vulnerability in ChartMuseum, impacting all versions of ChartMuseum between ChartMuseum >=0.1.0 and < 0.8.1. A specially crafted chart could be uploaded that caused the uploaded archive to be saved outside of the intended location.

When ChartMuseum is configured for multitenancy the specially crafted chart could be uploaded to one tenant but saved in the location of another tenant. This includes overwriting a chart at a version in the other tenant.

Additionally, if ChartMusem is configured to use a file system the uploaded Chart archive may be uploaded to locations outside of the storage directory. It could be uploaded to any place the ChartMuseum application binary has write permission to.

We are unaware of any public exploits caused by this issue.

Introducing the Helm Hub

11 Dec 2018

Helm was designed with many distributed repositories in mind. Like Homebrew Taps and Debian APT repositories, Helm has the ability to add and work with many repositories. While the Helm stable and incubator repositories have been front and center from the beginning it was never our intent for these to be the only public repositories.

With this in mind, we are delighted to announce the launch of the Helm Hub. This hub provides a means for you to find charts hosted in many distributed repositories hosted by numerous people and organizations.


Helm is supported by and built with a community of over 250 developers.


Microsoft Google Codefresh Bitnami
Ticketmaster codecentric AG Samsung SDS

...and many other wonderful helm and charts core maintainers.