CVE-2025-55199
BaseFortify
Publication date: 2025-08-14
Last updated on: 2025-08-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| helm | helm | to 3.18.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-55199 is a vulnerability in Helm, a Kubernetes package manager, affecting versions up to 3.18.4. It occurs when a Helm chart's JSON Schema file is crafted with a $ref pointer referencing special device files like /dev/zero. This causes Helm to consume all available memory, leading to an out-of-memory (OOM) termination. The attack requires user interaction but no privileges and can be triggered remotely via a malicious chart. [1]
How can this vulnerability impact me? :
This vulnerability can cause Helm to exhaust all available memory and crash (OOM termination), resulting in denial of service. It impacts availability but does not affect confidentiality or integrity. An attacker can exploit this remotely with low complexity, potentially disrupting Kubernetes deployments that rely on Helm for package management. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting Helm charts for JSON Schema files (values.schema.json) that contain $ref references pointing to device files such as /dev/zero. You can search for such references in your Helm charts using commands like: 1) grep -r '\$ref' /path/to/helm/charts | grep '/dev/zero' 2) find /path/to/helm/charts -name 'values.schema.json' -exec grep -H '\$ref' {} \; | grep '/dev/zero' These commands help identify potentially malicious or vulnerable charts that could trigger the out-of-memory condition. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Helm to version 3.18.5 or later, where the vulnerability is resolved. Additionally, ensure that all Helm charts being loaded do not contain any $ref references to device files like /dev/zero. As a workaround, manually review and sanitize charts to remove such references before deployment. [1]