Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Chart delivered over network triggers panic on user-initiated render (UI:R); no privileges required on target; availability limited to the failing Helm process only.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Helm through 4.2.3, fixed in commit ba6c9a2, contains a denial of service vulnerability in the Files.Lines template helper in pkg/engine/files.go that allows attackers to trigger an index out of range panic by including zero-length byte slices in chart files. Attackers can include empty files in Helm charts to cause deterministic render failures across template, install, upgrade, lint, and SDK Engine.Render operations.
AnalysisAI
Denial of service in Helm's Files.Lines template helper (pkg/engine/files.go) allows any party who can supply a crafted chart to crash Helm operations deterministically by embedding a zero-length file. Affected are all Helm releases through 4.2.3 across template, install, upgrade, lint, and SDK Engine.Render code paths. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The vulnerability triggers when two conditions are simultaneously met: (1) a Helm chart processed by the target system contains at least one file that is exactly zero bytes in length, and (2) a helm template, helm install, helm upgrade, helm lint, or SDK Engine.Render operation is executed against that chart. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N, score 5.3) accurately reflects a moderate, low-complexity network-reachable denial of service with limited impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with the ability to contribute to a shared Helm chart repository or submit a pull request to a GitOps repository crafts a chart containing a single zero-byte file (e.g., `files/empty.txt`). When the target organization's CI/CD pipeline automatically runs `helm lint` or `helm template` against the PR, the Files.Lines helper panics with an index out of range error, causing the pipeline job to fail deterministically. … |
| Remediation | The primary fix is to upgrade to a Helm release that includes commit ba6c9a29efa7bf9198dad6a5ec12b4fb30c96017 (https://github.com/helm/helm/commit/ba6c9a29efa7bf9198dad6a5ec12b4fb30c96017). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
All versions of Helm between Helm >=2.0.0 and < 2.12.2 contains a CWE-22: Improper Limitation of a Pathname to a Restric
In Helm 2.x before 2.15.2, commands that deal with loading a chart as a directory or packaging a chart provide an opport
helm Before 2.7.2 is affected by: CWE-295: Improper Certificate Validation. Rated critical severity (CVSS 9.8), this vul
Their is an information disclosure vulnerability in Helm from version 3.1.0 and before version 3.2.0. Rated medium sever
Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). Rated high severity (CVSS 8.6), th
Helm is a package manager for Charts for Kubernetes. Prior to 3.18.4, a specially crafted Chart.yaml file along with a s
Helm 4.0.0 through 4.1.3 silently installs Kubernetes plugins without cryptographic provenance verification even when si
Path traversal in Helm 4.0.0-4.1.3 allows local attackers to write arbitrary files during plugin installation or update
Helm is a tool that streamlines installing and managing Kubernetes applications.`getHostByName` is a Helm template funct
Helm is a package manager for Charts for Kubernetes. Rated high severity (CVSS 7.5), this vulnerability is remotely expl
Helm is a tool for managing Charts, pre-configured Kubernetes resources. Rated high severity (CVSS 7.5), this vulnerabil
Helm is a tool for managing Charts, pre-configured Kubernetes resources. Rated high severity (CVSS 7.5), this vulnerabil
Same weakness CWE-129 – Improper Validation of Array Index
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45213