Name of the Vulnerable Software and Affected Versions Renovate versions 37.158.0 through 37.199.0

Description Attackers with commit access to the default branch of a repository using Renovate could manipulate registryAliases to execute arbitrary commands. This is due to the registryAliases becoming mergeable, allowing the helmv3 manager to honor its value and use a helm repo add command for each defined alias. The key was not quoted, leading to the ability to use variable references and have them printed by Renovate on the pull request, or even running any shell commands. This vulnerability allows full access to Renovate's execution environment.

Recommendations For Renovate versions 37.158.0 through 37.199.0, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the registryAliases configuration to prevent manipulation. Additionally, restrict the use of the helm repo add command to minimize the risk of exploitation. Avoid using the registryAliases feature until the issue is resolved.