CVE-2025-55199

MEDIUM6.5EPSS 0.02%

Helm Charts with Specific JSON Schema Values Can Cause Memory Exhaustion

Published: 8/14/2025Modified: 2/4/2026

Also known as:GHSA-9h84-qmv7-982pBIT-helm-2025-55199CGA-gpwr-gp4r-hx6mGO-2025-3887

Description

A Helm contributor discovered that it was possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and have an out of memory (OOM) termination. ### Impact A malicious chart can point `$ref` in _values.schema.json_ to a device (e.g. `/dev/*`) or other problem file which could cause Helm to use all available memory and have an out of memory (OOM) termination. ### Patches This issue has been resolved in Helm v3.18.5. ### Workarounds Make sure that all Helm charts that are being loaded into Helm doesn't have any reference of `$ref` pointing to `/dev/zero`. ### References Helm's security policy is spelled out in detail in our [SECURITY](https://github.com/helm/community/blob/master/SECURITY.md) document. ### Credits Disclosed by Jakub Ciolek at AlphaSense.

Affected packages (4)

Bitnami/helmfrom 0, < 3.18.5
Go/helm.sh/helmfrom 0
Go/helm.sh/helm/v3from 0, < 3.18.5
Go/helm.sh/helm/v3from 0, < 3.18.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Description

Affected packages (4)

CVSS scores

References (4)