CVE-2025-55199: Helm Charts with Specific JSON Schema Values Can Cause Memory Exhaustion
A Helm contributor discovered that it was possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and have an out of memory (OOM) termination. ### Impact A malicious chart can point `$ref` in _values.schema.json_ to a device (e.g. `/dev/*`) or other problem file which could cause Helm to use all available memory and have an out of memory (OOM) termination. ### Patches This issue has been resolved in Helm v3.18.5. ### Workarounds Make sure that all Helm charts that are being loaded into Helm doesn't have any reference of `$ref` pointing to `/dev/zero`. ### References Helm's security policy is spelled out in detail in our [SECURITY](https://github.com/helm/community/blob/master/SECURITY.md) document. ### Credits Disclosed by Jakub Ciolek at AlphaSense.
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2025-55199?
CVE-2025-55199 has a high severity rating due to its potential for causing out of memory (OOM) termination.
How do I fix CVE-2025-55199?
To fix CVE-2025-55199, upgrade Helm to version 3.18.5 or later.
What software is affected by CVE-2025-55199?
CVE-2025-55199 affects Helm versions prior to 3.18.5.
What is the impact of CVE-2025-55199 on Kubernetes deployments?
The impact of CVE-2025-55199 can lead to resource exhaustion and application crashes in Kubernetes environments.
Is there a workaround for CVE-2025-55199?
While upgrading to Helm 3.18.5 is the primary fix, temporarily limiting memory usage can serve as a workaround.