CVE-2025-32386
📋 TL;DR
This CVE describes a memory exhaustion vulnerability in Helm where specially crafted chart archive files can expand to be significantly larger uncompressed than compressed (e.g., >800x difference). When Helm loads these malicious charts, it can exhaust system memory causing application termination. This affects all Helm users who process untrusted chart files.
💻 Affected Systems
- Helm
📦 What is this software?
Helm by Helm
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service through memory exhaustion causing Helm processes to crash, potentially disrupting Kubernetes deployments and management workflows.
Likely Case
Helm process termination when processing malicious charts, interrupting deployment operations and requiring manual intervention.
If Mitigated
Minimal impact if only trusted charts from verified sources are used and proper input validation is implemented.
🎯 Exploit Status
Exploitation requires the attacker to provide a malicious chart file that Helm processes. No authentication is needed if Helm can be made to load the malicious chart.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v3.17.3
Vendor Advisory: https://github.com/helm/helm/security/advisories/GHSA-4hfp-h4cw-hj8p
Restart Required: Yes
Instructions:
1. Check current Helm version: helm version
2. Upgrade Helm using your package manager: brew upgrade helm (macOS) or download from GitHub releases
3. Verify upgrade: helm version should show v3.17.3 or later
4. Restart any Helm processes or deployments
🔧 Temporary Workarounds
Restrict chart sources
allOnly use charts from trusted, verified repositories and avoid processing charts from untrusted sources.
helm repo add only-trusted-repo https://trusted.example.com/charts
helm install only from verified repos
Implement chart validation
allAdd pre-processing validation for chart files before passing to Helm, checking for suspicious compression ratios.
Custom script to check chart file properties before helm install/upgrade
🧯 If You Can't Patch
- Implement strict source control for charts - only use charts from verified internal repositories
- Monitor Helm processes for abnormal memory consumption and implement alerting
🔍 How to Verify
Check if Vulnerable:
Run: helm version | grep -E 'v3\.(0-16|17\.(0-2))' - if matches, vulnerableCheck Version:
helm version --shortVerify Fix Applied:
Run: helm version | grep 'v3\.17\.3' - should return version information📡 Detection & Monitoring
Log Indicators:
- Helm process crashes with out-of-memory errors
- Abnormal memory consumption spikes in Helm processes
- Failed deployments with memory allocation errors
Network Indicators:
- Downloads of unusually small chart files followed by high memory usage
- Requests to untrusted chart repositories
SIEM Query:
process.name:"helm" AND (memory.usage > 90% OR exit_code:137)