CVE-2022-23525

Name of the Vulnerable Software and Affected Versions Helm versions prior to 3.10.3

Description The issue concerns a NULL Pointer Dereference in the repo package of Helm, which can lead to a Denial of Service. The repo package processes the index file of a repository and loads it into structures that Go can work with. Certain index files can cause array data structures to be created, resulting in a memory violation. When such an index file is encountered, the Helm Client will panic, but since Helm is not a long-running service, this panic will not affect future uses of the Helm client. Applications using the repo package in the Helm SDK to parse an index file can suffer from this issue when the input causes a panic that cannot be recovered from.

Recommendations For versions prior to 3.10.3, update to version 3.10.3 to resolve the issue. As a temporary workaround, SDK users can validate index files that are correctly formatted before passing them to the repo functions.