RATATOSKRATATOSK
Sign in

Helm

v3.20.2Kubernetes Core
Apr 10, 2026

Security-only patch fixing a path traversal vulnerability in chart extraction. Upgrade immediately if you pull charts from untrusted sources.

  • securityPatch a chart extraction path traversal — upgrade now

    A crafted Chart.yaml using dot-segments (e.g., '..') in the chart name could cause Helm to write files outside the intended extraction directory. This is a classic directory traversal attack vector. If your pipelines pull charts from public repos, third-party registries, or any source you don't fully control, treat this as critical and upgrade to v3.20.2 today. Teams operating fully air-gapped with only internally authored charts have lower immediate risk, but should still upgrade on the next maintenance window.

Key changes (3)

  • GHSA-hr2v-4r36-88hr patched: malicious Chart.yaml with dot-segment names could collapse output directory paths during chart extraction
  • No functional changes — purely a security fix
  • Next patch releases (4.1.5 / 3.20.3) scheduled for April 8, 2026