Arbitrary Code Injection Affecting helm-bash-completion package, versions <3.19.1-150000.1.57.1


Severity

Recommended
0.0
high
0
10

Based on SUSE Linux Enterprise Server security rating.

Threat Intelligence

EPSS
0.36% (29th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-SLES156-HELMBASHCOMPLETION-14105291
  • published25 Nov 2025
  • disclosed24 Nov 2025

Introduced: 24 Nov 2025

CVE-2025-53547  (opens in a new tab)
CWE-94  (opens in a new tab)

How to fix?

Upgrade SLES:15.6 helm-bash-completion to version 3.19.1-150000.1.57.1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream helm-bash-completion package and not the helm-bash-completion package as distributed by SLES. See How to fix? for SLES:15.6 relevant fixed versions and status.

Helm is a package manager for Charts for Kubernetes. Prior to 3.18.4, a specially crafted Chart.yaml file along with a specially linked Chart.lock file can lead to local code execution when dependencies are updated. Fields in a Chart.yaml file, that are carried over to a Chart.lock file when dependencies are updated and this file is written, can be crafted in a way that can cause execution if that same content were in a file that is executed (e.g., a bash.rc file or shell script). If the Chart.lock file is symlinked to one of these files updating dependencies will write the lock file content to the symlinked file. This can lead to unwanted execution. Helm warns of the symlinked file but did not stop execution due to symlinking. This issue has been resolved in Helm v3.18.4.

CVSS Base Scores

version 3.1