5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-23525

GHSA ID

GHSA-53c4-hhmh-vw5q

EPSS Score

0.0656%

CWE

CWE-476

Published

12/14/2022

Updated

9/8/2023

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-23525

CVE-2022-23525: Helm vulnerable to denial of service through through repository index file

Fuzz testing, by Ada Logics and sponsored by the CNCF, identified input to functions in the _repo_ package that can cause a segmentation violation. Applications that use functions from the _repo_ package in the Helm SDK can have a Denial of Service attack when they use this package and it panics.

Impact

The _repo_ package contains a handler that processes the index file of a repository. For example, the Helm client adds references to chart repositories where charts are managed. The _repo_ package parses the index file of the repository and loads it into structures Go can work with. Some index files can cause array data structures to be created causing a memory violation.

Applications that use the _repo_ package in the Helm SDK to parse an index file can suffer a Denial of Service when that input causes a panic that cannot be recovered from.

The Helm Client will panic with an index file that causes a memory violation panic. Helm is not a long running service so the panic will not affect future uses of the Helm client.

Patches

This issue has been resolved in 3.10.3.

Workarounds

SDK users can validate index files that are correctly formatted before passing them to the _repo_ functions.

For more information

Helm's security policy is spelled out in detail in our SECURITY document.

Credits

Disclosed by Ada Logics in a fuzzing audit sponsored by CNCF.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-23525

CVE-2022-23525:

5.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-23525

GHSA ID

GHSA-53c4-hhmh-vw5q

EPSS Score

0.0656%

CWE

CWE-476

Published

12/14/2022

Updated

9/8/2023

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
helm.sh/helm/v3	go	< 3.10.3	3.10.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The patch adds critical nil checks in MustAdd (for Entries map) and loadIndex (for individual chart entries). These functions directly process untrusted index files. The CWE-476 classification and fuzzing context indicate nil pointer dereferences were the root cause. The Go vulnerability report (GO-2022-1165) explicitly lists LoadIndexFile and MustAdd as affected symbols. The added test cases (TestAddFileIndexEntriesNil, TestLoadIndex_EmptyEntry) validate these were the failure points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-23525: Helm vulnerable to denial of service through through repository index file

Impact

Patches

Workarounds

For more information

Credits

CVE-2022-23525:

5.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2022-23525: Helm vulnerable to denial of service through through repository index file

Impact

Patches

Workarounds

For more information

Credits

Technical Details

5.3

5.3

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI