Update module helm.sh/helm/v3 to v3.18.5 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
helm.sh/helm/v3	v3.18.3 → v3.18.5

GitHub Vulnerability Alerts

CVE-2025-53547

A Helm contributor discovered that a specially crafted Chart.yaml file along with a specially linked Chart.lock file can lead to local code execution when dependencies are updated.

Impact

Fields in a Chart.yaml file, that are carried over to a Chart.lock file when dependencies are updated and this file is written, can be crafted in a way that can cause execution if that same content were in a file that is executed (e.g., a bash.rc file or shell script). If the Chart.lock file is symlinked to one of these files updating dependencies will write the lock file content to the symlinked file. This can lead to unwanted execution. Helm warns of the symlinked file but did not stop execution due to symlinking.

This affects when dependencies are updated. When using the helm command this happens when helm dependency update is run. helm dependency build can write a lock file when one does not exist but this vector requires one to already exist. This affects the Helm SDK when the downloader Manager performs an update.

Patches

This issue has been resolved in Helm v3.18.4

Workarounds

Ensure the Chart.lock file in a chart is not a symlink prior to updating dependencies.

For more information

Helm's security policy is spelled out in detail in our SECURITY document.

Credits

Disclosed by Jakub Ciolek at AlphaSense.

CVE-2025-55199

A Helm contributor discovered that it was possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and have an out of memory (OOM) termination.

Impact

A malicious chart can point $ref in values.schema.json to a device (e.g. /dev/*) or other problem file which could cause Helm to use all available memory and have an out of memory (OOM) termination.

Patches

This issue has been resolved in Helm v3.18.5.

Workarounds

Make sure that all Helm charts that are being loaded into Helm doesn't have any reference of $ref pointing to /dev/zero.

References

Helm's security policy is spelled out in detail in our SECURITY document.

Credits

Disclosed by Jakub Ciolek at AlphaSense.

CVE-2025-55198

A Helm contributor discovered an improper validation of type error when parsing Chart.yaml and index.yaml files that can lead to a panic.

Impact

There are two areas of YAML validation that were impacted. First, when a Chart.yaml file had a null maintainer or the child or parent of a dependencies import-values could be parsed as something other than a string, helm lint would panic. Second, when an index.yaml had an empty entry in the list of chart versions Helm would panic on interactions with that repository.

Patches

This issue has been resolved in Helm v3.18.5.

Workarounds

Ensure YAML files are formatted as Helm expects prior to processing them with Helm.

References

Helm's security policy is spelled out in detail in our SECURITY document.

Credits

Disclosed by Jakub Ciolek at AlphaSense.

---

Release Notes

helm/helm (helm.sh/helm/v3)

v3.18.5: Helm v3.18.5

Compare Source

Helm v3.18.5 is a security release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

• Join the discussion in Kubernetes Slack:
  • for questions and just to hang out
  • for discussing PRs, code, and bugs
• Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
• Test, debug, and contribute charts: ArtifactHub/packages

Security Advisories

• Helm Charts with Specific JSON Schema Values Can Cause Memory Exhaustion
• Incorrect YAML Content Leads To Panic

Installation and Upgrading

Download Helm v3.18.5. The common platform binaries are here:

• MacOS amd64 (checksum / 3200c32cf19bf69b446e97c0060af39f018d2e441e418ad174ba39052f63fb15)
• MacOS arm64 (checksum / 32ce3f4910d5a96c1170f3f8f230d4c8b8bc007e5d47b085b8416cfe559d7925)
• Linux amd64 (checksum / 9879bf9c471cdecbbee5ee17cf1de1849b0ffd12871ea01f17ede6861d7134f5)
• Linux arm (checksum / 4be47fa77476bfd6416a44853e28983e7c8594156259813ecf35d004044fb17d)
• Linux arm64 (checksum / d25d2c1b1c5a9844755ab5c66e6df4d6b31c25e6d92dd2ce66c137a63ddf9f2c)
• Linux i386 (checksum / 1ee980e47bb37f388abdce3a7e8da64a9b372352c4cb645bda5ddd401973bee3)
• Linux ppc64le (checksum / 9d300e0efced9b244aedcc9d11c49647deb4c5afc8d2298c988498dc530bc932)
• Linux s390x (checksum / c779bb4dea8026294378a9ad6447095fb8f56671a8c49437344dd342de2a3156)
• Linux riscv64 (checksum / f79d06dc5e966c341fc8ad1a0d5e032f7d681e62c4a51a4d22badec4b9857144)
• Windows amd64 (checksum / 464bfd7792d6c682778fc1d5e5bcc9ac5ce83457fe3c4b7a3d0af4dc3ef03eb1)
• Windows arm64 (checksum / 82411e3ee4e349d30221ddf6c26397bb0a41666939b338ccf39f4cd2ec4e4410)

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

• 3.19.0 is the next minor release and will be on September 11, 2025

Changelog

• fix Chart.yaml handling 7799b48 (Matt Farina)
• Handle messy index files dd8502f (Matt Farina)
• json schema fix cb8595b (Robert Sirchia)

v3.18.4: Helm v3.18.4

Compare Source

Helm v3.18.4 is a security release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

• Join the discussion in Kubernetes Slack:
  • for questions and just to hang out
  • for discussing PRs, code, and bugs
• Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
• Test, debug, and contribute charts: ArtifactHub/packages

Security Advisories

• GHSA-557j-xg8c-q2mm: Chart Dependency Updating With Malicious Chart.yaml Content And Symlink

Installation and Upgrading

Download Helm v3.18.4. The common platform binaries are here:

• MacOS amd64 (checksum / 860a7238285b44b5dc7b3c4dad6194316885d7015d77c34e23177e0e9554af8f)
• MacOS arm64 (checksum / 041849741550b20710d7ad0956e805ebd960b483fe978864f8e7fdd03ca84ec8)
• Linux amd64 (checksum / f8180838c23d7c7d797b208861fecb591d9ce1690d8704ed1e4cb8e2add966c1)
• Linux arm (checksum / 34ea88aef15fd822e839da262176a36e865bb9cfdb89b1f723811c0cc527f981)
• Linux arm64 (checksum / c0a45e67eef0c7416a8a8c9e9d5d2d30d70e4f4d3f7bea5de28241fffa8f3b89)
• Linux i386 (checksum / 75c2d9858725a5907faf8f19d9fb21c0263e4cb864d27d6df8809f96f147d3c0)
• Linux ppc64le (checksum / dbd74c59e7710f26e058596723abbf73662b553e01f40dfb08508ffffaeb7b81)
• Linux s390x (checksum / c8bafb34bcebd53494f0223239977e1ff7b487e714598a5843a0cb1788e20075)
• Linux riscv64 (checksum / f67f39104c7e695cbba04dc3b4507a80a034ce9e5ccbe55c84e91b1553b787bd)
• Windows amd64 (checksum / 0af12a2233d71ef4207db1eabbf103b554631206ed5b2b34fc56b73a52596888)
• Windows arm64 (checksum / de6bc8fcffeb041f524a92c6026ea22ef6f939118a30e6bb8b996b77a38486b1)

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

• 3.18.5 is the next patch release and will be on August 13, 2025
• 3.19.0 is the next minor release and will be on September 11, 2025

Changelog

• Disabling linter due to unknown issue f20a4ad (Matt Farina)
• build(deps): bump the k8s-io group with 7 updates 563b094 (dependabot[bot])
• Updating link handling 00de613 (Matt Farina)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 14 additional dependencies were updated

Details:

Package	Change
github.com/spf13/pflag	v1.0.6 -> v1.0.7
golang.org/x/sync	v0.15.0 -> v0.16.0
golang.org/x/sys	v0.33.0 -> v0.34.0
golang.org/x/term	v0.32.0 -> v0.33.0
golang.org/x/text	v0.26.0 -> v0.27.0
k8s.io/api	v0.33.1 -> v0.33.3
k8s.io/apiextensions-apiserver	v0.33.1 -> v0.33.3
k8s.io/apimachinery	v0.33.1 -> v0.33.3
k8s.io/apiserver	v0.33.1 -> v0.33.3
k8s.io/cli-runtime	v0.33.1 -> v0.33.3
k8s.io/client-go	v0.33.1 -> v0.33.3
k8s.io/component-base	v0.33.1 -> v0.33.3
k8s.io/kubectl	v0.33.1 -> v0.33.3
sigs.k8s.io/yaml	v1.4.0 -> v1.5.0

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 14 additional dependencies were updated

Details:

Package	Change
github.com/spf13/pflag	v1.0.6 -> v1.0.7
golang.org/x/sync	v0.15.0 -> v0.16.0
golang.org/x/sys	v0.33.0 -> v0.34.0
golang.org/x/term	v0.32.0 -> v0.33.0
golang.org/x/text	v0.26.0 -> v0.27.0
k8s.io/api	v0.33.1 -> v0.33.3
k8s.io/apiextensions-apiserver	v0.33.1 -> v0.33.3
k8s.io/apimachinery	v0.33.1 -> v0.33.3
k8s.io/apiserver	v0.33.1 -> v0.33.3
k8s.io/cli-runtime	v0.33.1 -> v0.33.3
k8s.io/client-go	v0.33.1 -> v0.33.3
k8s.io/component-base	v0.33.1 -> v0.33.3
k8s.io/kubectl	v0.33.1 -> v0.33.3
sigs.k8s.io/yaml	v1.4.0 -> v1.5.0