Skip to content

Renovate: Update module helm.sh/helm/v3 to v3.20.2 [SECURITY]#48

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/go-helm.sh-helm-v3-vulnerability
Open

Renovate: Update module helm.sh/helm/v3 to v3.20.2 [SECURITY]#48
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/go-helm.sh-helm-v3-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Apr 10, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
helm.sh/helm/v3 v3.20.0v3.20.2 age adoption passing confidence

Helm Chart extraction output directory collapse via Chart.yaml name dot-segment

CVE-2026-35206 / GHSA-hr2v-4r36-88hr

More information

Details

Helm is a package manager for Charts for Kubernetes. In Helm versions <=3.20.1 and <=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart's contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart's name.

Impact

The bug enables writing the Chart's contents (unpackaged/untar'ed) to the output directory <output dir>/, instead of the expected <output dir>/<chart name>/, potentially overwriting the contents of the targeted directory.

Note: a chart name containing POSIX dot-dot, or dot-dot and slashes (as if to refer to parent directories) do not resolve beyond the output directory as designed.

Patches

This issue has been resolved in Helm v3.20.2 and v4.1.3

A Chart with an unexpected name (those specified to be "." or ".."), or a Chart name which results in a non-unique directory will be rejected.

Workarounds

Ensure the the name of the Chart does not comprise/contain POSIX pathname special directory references ie. dot-dot ("..") or dot ("."). In addition, ensuring that the pull --untar flag (or equivalent SDK option) refers to a unique/empty output directory prevents chart extraction from inadvertently overwriting existing files within the specified directory.

Credits

Oleh Konko
@​1seal

Severity

  • CVSS Score: 4.8 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Helm Chart extraction output directory collapse via Chart.yaml name dot-segment

BIT-helm-2026-35206 / CVE-2026-35206 / GHSA-hr2v-4r36-88hr

More information

Details

Helm is a package manager for Charts for Kubernetes. In Helm versions <=3.20.1 and <=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart's contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart's name.

Impact

The bug enables writing the Chart's contents (unpackaged/untar'ed) to the output directory <output dir>/, instead of the expected <output dir>/<chart name>/, potentially overwriting the contents of the targeted directory.

Note: a chart name containing POSIX dot-dot, or dot-dot and slashes (as if to refer to parent directories) do not resolve beyond the output directory as designed.

Patches

This issue has been resolved in Helm v3.20.2 and v4.1.3

A Chart with an unexpected name (those specified to be "." or ".."), or a Chart name which results in a non-unique directory will be rejected.

Workarounds

Ensure the the name of the Chart does not comprise/contain POSIX pathname special directory references ie. dot-dot ("..") or dot ("."). In addition, ensuring that the pull --untar flag (or equivalent SDK option) refers to a unique/empty output directory prevents chart extraction from inadvertently overwriting existing files within the specified directory.

Credits

Oleh Konko
@​1seal

Severity

  • CVSS Score: 4.8 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

helm/helm (helm.sh/helm/v3)

v3.20.2: Helm v3.20.2

Compare Source

v3.20.2

Helm v3.20.2 is a security patch release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

  • Join the discussion in Kubernetes Slack:
    • for questions and just to hang out
    • for discussing PRs, code, and bugs
  • Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
  • Test, debug, and contribute charts: ArtifactHub/packages

Security fixes

  • GHSA-hr2v-4r36-88hr Helm Chart extraction output directory collapse via Chart.yaml name dot-segment

Installation and Upgrading

Download Helm v3.20.2. The common platform binaries are here:

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

  • 4.1.5 and 3.20.3 are the next patch (bug fix) releases and will be on April 8, 2026
  • 4.2.0 and 3.21.0 are the next minor (feature) releases and will be on May 13, 2026

Changelog

  • fix: Chart dot-name path bug 8fb76d6 (George Jenkins)
  • fix: pin codeql-action/upload-sarif to commit SHA in scorecards workflow 3a8927e (Terry Howe)

v3.20.1: Helm v3.20.1

Compare Source

Helm v3.20.1 is a patch release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

  • Join the discussion in Kubernetes Slack:
    • for questions and just to hang out
    • for discussing PRs, code, and bugs
  • Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
  • Test, debug, and contribute charts: ArtifactHub/packages

Notable Changes

  • Backport of #​31644: Fixed a bug where user-provided nil value was not preserved when chart has an empty map or no default for a key
  • Backport of #​31601: Fixed a bug where OCI references with tag+digest failed with "invalid byte" error

Installation and Upgrading

Download Helm v3.20.1. The common platform binaries are here:

This release was signed with 208D D36E D5BB 3745 A167 43A4 C7C6 FBB5 B91C 1155 and can be found at @​scottrigby keybase account. Please use the attached signatures for verifying this release using gpg.

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

  • 4.2.0 and 3.21.0 are the next minor releases and will be on May 13, 2026
  • 4.1.4 and 3.20.2 are the next patch releases and will be on April 8, 2026

Changelog

  • chore(deps): bump the k8s-io group with 7 updates a2369ca (dependabot[bot])
  • add image index test 90e1056 (Pedro Tôrres)
  • fix pulling charts from OCI indices 911f2e9 (Pedro Tôrres)
  • Remove refactorring changes from coalesce_test.go 76dad33 (Evans Mungai)
  • Fix import 45c12f7 (Evans Mungai)
  • Update pkg/chart/common/util/coalesce_test.go 26c6f19 (Evans Mungai)
  • Fix lint warning 09f5129 (Evans Mungai)
  • Preserve nil values in chart already 417deb2 (Evans Mungai)
  • fix(values): preserve nil values when chart default is empty map 5417bfa (Evans Mungai)

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate

renovate Bot commented Apr 10, 2026

Copy link
Copy Markdown
Contributor Author

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 8 additional dependencies were updated

Details:

Package Change
k8s.io/client-go v0.35.0 -> v0.35.1
k8s.io/api v0.35.0 -> v0.35.1
k8s.io/apiextensions-apiserver v0.35.0 -> v0.35.1
k8s.io/apimachinery v0.35.0 -> v0.35.1
k8s.io/apiserver v0.35.0 -> v0.35.1
k8s.io/cli-runtime v0.35.0 -> v0.35.1
k8s.io/component-base v0.35.0 -> v0.35.1
k8s.io/kubectl v0.35.0 -> v0.35.1

@renovate renovate Bot force-pushed the renovate/go-helm.sh-helm-v3-vulnerability branch from 97c76ba to 399b421 Compare April 29, 2026 17:14
@renovate renovate Bot force-pushed the renovate/go-helm.sh-helm-v3-vulnerability branch 2 times, most recently from 04087e6 to 88e3157 Compare May 18, 2026 13:57
@renovate renovate Bot force-pushed the renovate/go-helm.sh-helm-v3-vulnerability branch from 88e3157 to a0ea9ba Compare May 28, 2026 14:39
@renovate renovate Bot changed the title Renovate: Update module helm.sh/helm/v3 to v3.20.2 [SECURITY] Renovate: Update module helm.sh/helm/v3 to v3.20.2 [SECURITY] - autoclosed Jun 23, 2026
@renovate renovate Bot closed this Jun 23, 2026
@renovate renovate Bot deleted the renovate/go-helm.sh-helm-v3-vulnerability branch June 23, 2026 22:59
@renovate renovate Bot changed the title Renovate: Update module helm.sh/helm/v3 to v3.20.2 [SECURITY] - autoclosed Renovate: Update module helm.sh/helm/v3 to v3.20.2 [SECURITY] Jun 24, 2026
@renovate renovate Bot reopened this Jun 24, 2026
@renovate renovate Bot force-pushed the renovate/go-helm.sh-helm-v3-vulnerability branch 2 times, most recently from a0ea9ba to 2941267 Compare June 24, 2026 02:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@Nuckal777 Nuckal777

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Nuckal777