fix(deps): update module helm.sh/helm/v3 to v3.17.4 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
helm.sh/helm/v3	v3.17.2 -> v3.17.4

GitHub Vulnerability Alerts

CVE-2025-32386

A Helm contributor discovered that a specially crafted chart archive file can cause Helm to use all available memory and have an out of memory (OOM) termination.

Impact

A chart archive file can be crafted in a manner where it expands to be significantly larger uncompressed than compressed (e.g., >800x difference). When Helm loads this specially crafted chart, memory can be exhausted causing the application to terminate.

Patches

This issue has been resolved in Helm v3.17.3.

Workarounds

Ensure that any chart archive files being loaded by Helm do not contain files that are large enough to cause the Helm Client or SDK to use up available memory leading to a termination.

For more information

Helm's security policy is spelled out in detail in our SECURITY document.

Credits

Disclosed by Jakub Ciolek at AlphaSense.

CVE-2025-32387

A Helm contributor discovered that a specially crafted JSON Schema within a chart can lead to a stack overflow.

Impact

A JSON Schema file within a chart can be crafted with a deeply nested chain of references, leading to parser recursion that can exceed the stack size limit and trigger a stack overflow.

Patches

This issue has been resolved in Helm v3.17.3.

Workarounds

Ensure that the JSON Schema within any charts loaded by Helm does not have a large number of nested references. These JSON Schema files are larger than 10 MiB.

For more information

Helm's security policy is spelled out in detail in our SECURITY document.

Credits

Disclosed by Jakub Ciolek at AlphaSense.

CVE-2025-53547

A Helm contributor discovered that a specially crafted Chart.yaml file along with a specially linked Chart.lock file can lead to local code execution when dependencies are updated.

Impact

Fields in a Chart.yaml file, that are carried over to a Chart.lock file when dependencies are updated and this file is written, can be crafted in a way that can cause execution if that same content were in a file that is executed (e.g., a bash.rc file or shell script). If the Chart.lock file is symlinked to one of these files updating dependencies will write the lock file content to the symlinked file. This can lead to unwanted execution. Helm warns of the symlinked file but did not stop execution due to symlinking.

This affects when dependencies are updated. When using the helm command this happens when helm dependency update is run. helm dependency build can write a lock file when one does not exist but this vector requires one to already exist. This affects the Helm SDK when the downloader Manager performs an update.

Patches

This issue has been resolved in Helm v3.18.4

Workarounds

Ensure the Chart.lock file in a chart is not a symlink prior to updating dependencies.

For more information

Helm's security policy is spelled out in detail in our SECURITY document.

Credits

Disclosed by Jakub Ciolek at AlphaSense.

---

Release Notes

helm/helm (helm.sh/helm/v3)

v3.17.4: Helm v3.17.4

Compare Source

Helm v3.17.4 is a patch release, this bring is the security release noted below. This is intended for Helm SDK users. CLI users are recommended to use the latest version of Helm.

Security Advisories

GHSA-557j-xg8c-q2mm: Chart Dependency Updating With Malicious Chart.yaml Content And Symlink

The community keeps growing, and we'd love to see you there!

• Join the discussion in Kubernetes Slack:
  • for questions and just to hang out
  • for discussing PRs, code, and bugs
• Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
• Test, debug, and contribute charts: ArtifactHub/packages

Installation and Upgrading

Download Helm v3.17.4. The common platform binaries are here:

• MacOS amd64 (checksum / 6dfce5d8b09442205393068f5c911b8f20958edd5b67cc26f7eb3330f93225f1)
• MacOS arm64 (checksum / f4732719827a76452035641629aa92091adc4a9f1ccbc8d53a729b53e0add869)
• Linux amd64 (checksum / c91e3d7293849eff3b4dc4ea7994c338bcc92f914864d38b5789bab18a1d775d)
• Linux arm (checksum / 02c25aa6d656aa3718f2e7d243f28603ce76d00652b875508e98ffb0a1a8e7bb)
• Linux arm64 (checksum / 460a31d1511abb5ad776a26a2a3f0f1382a241b2df3c6d725b0f63c9058ba15a)
• Linux i386 (checksum / f9e60b44fb5efd08b78b4ec1a9dec93407a084a36710fb0d0402575b4b63c1b4)
• Linux ppc64le (checksum / a181fdb739d59b7aee1951819ab532f38fe2181927f9b601f77aadf5f526f164)
• Linux s390x (checksum / 392a190f3fc2195fa93828feaa108fe2709d2670c59d23c0645a7f9f857074f0)
• Linux riscv64 (checksum / ee1f02a2f69c2762fd6d0ca1b803a79aca9497b2ce7d1cc0ae55c699727777c5)
• Windows amd64 (checksum / 8ffe44ee2aca8cf32156b42efd50e5dabda8da65ab1f10707d9666dea6fcc7e9)
• Windows arm64 (checksum / ef36602d30ce0945b57cc0ceeff674128adf8918da9af6e4fff496930549ac61)

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

• 3.18.5 is the next patch release and will be on August 13, 2025
• 3.19.0 is the next minor release and will be on September 11, 2025

Changelog

• fixup! Updating link handling 0e59b9e (Luis Rascao)
• Updating link handling 3663598 (Robert Sirchia)

v3.17.3: Helm v3.17.3

Compare Source

Helm v3.17.3 is a security (patch) release. Users are strongly recommended to update to this release.

The community keeps growing, and we'd love to see you there!

• Join the discussion in Kubernetes Slack:
  • for questions and just to hang out
  • for discussing PRs, code, and bugs
• Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
• Test, debug, and contribute charts: ArtifactHub/packages

Installation and Upgrading

Download Helm v3.17.3. The common platform binaries are here:

• MacOS amd64 (checksum / 20ef8df4671349a6fc556a621be1170dd709c6c0cf5f7e83a2d9fb0515fd97fc)
• MacOS arm64 (checksum / 89aec43ce07b06239f1bba4a6507236bb48ae487bc5065a8e254d3ce58a16997)
• Linux amd64 (checksum / ee88b3c851ae6466a3de507f7be73fe94d54cbf2987cbaa3d1a3832ea331f2cd)
• Linux arm (checksum / 60d76d1e12d3e058a9e9a8209eff748a6fab5948028a1f0860f48e141243d33d)
• Linux arm64 (checksum / 7944e3defd386c76fd92d9e6fec5c2d65a323f6fadc19bfb5e704e3eee10348e)
• Linux i386 (checksum / 51742d78c066437e23b3ca98370df341f9136b408381fe5a150d70b9d9bf24d7)
• Linux ppc64le (checksum / b821885a502b2fa159e3ef3afe9cde6e6c9876d4a623f18868829c3ee4a3c64c)
• Linux s390x (checksum / 71a9c6058e29a7eef0bc72a61843ccbade11997e383dd3e13e1a591ddffd8598)
• Linux riscv64 (checksum / 4e4563d43a593e11533024c7a0ddb79fb7d1dec85f9a9f8417ed1bacda0d7d0e)
• Windows amd64 (checksum / 8ea93e2f6285e649dede583ac90ff8cdb938ca53ec6cf5fe909f2303fbc22d96)
• Windows arm64 (checksum / 70ce9dfdbc1ce6142626a829dbdc5920405146f3ce4dc6f6e6739dd308cc7baf)

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

• 3.18.0 is the next minor release and will be on May 14, 2025

Changelog

• Unarchiving fix e4da497 (Matt Farina)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.