Helm
v3.20.2Kubernetes Core2026年4月10日
Security-only patch fixing a path traversal vulnerability in chart extraction. Upgrade immediately if you pull charts from untrusted sources.
securityPatch a chart extraction path traversal — upgrade now
A crafted Chart.yaml using dot-segments (e.g., '..') in the chart name could cause Helm to write files outside the intended extraction directory. This is a classic directory traversal attack vector. If your pipelines pull charts from public repos, third-party registries, or any source you don't fully control, treat this as critical and upgrade to v3.20.2 today. Teams operating fully air-gapped with only internally authored charts have lower immediate risk, but should still upgrade on the next maintenance window.
主な変更 (3)
- GHSA-hr2v-4r36-88hr patched: malicious Chart.yaml with dot-segment names could collapse output directory paths during chart extraction
- No functional changes — purely a security fix
- Next patch releases (4.1.5 / 3.20.3) scheduled for April 8, 2026