SCA: security update for helm.sh/helm/v3 (GHSA-557j-xg8c-q2mm)

high Tenable Cloud Security Plugin ID 428318

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Helm is a package manager for Charts for Kubernetes. Prior to 3.18.4, a specially crafted Chart.yaml file
along with a specially linked Chart.lock file can lead to local code execution when dependencies are
updated. Fields in a Chart.yaml file, that are carried over to a Chart.lock file when dependencies are
updated and this file is written, can be crafted in a way that can cause execution if that same content
were in a file that is executed (e.g., a bash.rc file or shell script). If the Chart.lock file is
symlinked to one of these files updating dependencies will write the lock file content to the symlinked
file. This can lead to unwanted execution. Helm warns of the symlinked file but did not stop execution due
to symlinking. This issue has been resolved in Helm v3.18.4. (CVE-2025-53547)

See Also

https://github.com/advisories/GHSA-557j-xg8c-q2mm

Plugin Details

Severity: High

ID: 428318

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 7/9/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7

Percentile: 98.33

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-53547

CVSS v3

Risk Factor: High

Base Score: 8.6

Temporal Score: 7.7

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/8/2025

Vulnerability Publication Date: 7/8/2025

Reference Information

CVE: CVE-2025-53547

cwe: CWE-94