Philipp Stehle

**Name of the Vulnerable Software and Affected Versions** Helm versions prior to 3.11.1 **Description** The `getHostByName` template function in Helm, introduced in Helm v3, performs a DNS lookup to return an IP address for a given hostname. This function can disclose information passed into the chart to the DNS servers used for the lookup. A malicious chart could exploit this by injecting `getHostByName` to disclose values to a malicious DNS server. The issue is related to the use of `helm install|upgrade|template` or the Helm SDK to render a chart. **Recommendations** For Helm versions prior to 3.11.1, update to Helm 3.11.1 to resolve the issue. As a temporary workaround, verify that the `getHostByName` function is not being used in a template to disclose any information you do not want passed to DNS servers before using a chart with Helm.