{ "schema_version": "1.4.0", "id": "GHSA-5xqw-8hwv-wg92", "modified": "2025-04-10T13:48:31Z", "published": "2025-04-10T13:48:31Z", "aliases": [ "CVE-2025-32387" ], "summary": "Helm Allows A Specially Crafted JSON Schema To Cause A Stack Overflow", "details": "A Helm contributor discovered that a specially crafted JSON Schema within a chart can lead to a stack overflow.\n\n### Impact\nA JSON Schema file within a chart can be crafted with a deeply nested chain of references, leading to parser recursion that can exceed the stack size limit and trigger a stack overflow. \n\n### Patches\nThis issue has been resolved in Helm v3.17.3.\n\n### Workarounds\nEnsure that the JSON Schema within any charts loaded by Helm does not have a large number of nested references. These JSON Schema files are larger than 10 MiB.\n\n### For more information\nHelm's security policy is spelled out in detail in our [SECURITY](https://github.com/helm/community/blob/master/SECURITY.md) document.\n\n### Credits\nDisclosed by Jakub Ciolek at AlphaSense.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" } ], "affected": [ { "package": { "ecosystem": "Go", "name": "helm.sh/helm/v3" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "3.17.3" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/helm/helm/security/advisories/GHSA-5xqw-8hwv-wg92" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32387" }, { "type": "WEB", "url": "https://github.com/helm/helm/commit/d8ca55fc669645c10c0681d49723f4bb8c0b1ce7" }, { "type": "PACKAGE", "url": "https://github.com/helm/helm" } ], "database_specific": { "cwe_ids": [ "CWE-121", "CWE-674" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2025-04-10T13:48:31Z", "nvd_published_at": "2025-04-09T23:15:37Z" } }