## Helm v3.20.2 Patches Critical Directory Traversal Vulnerability in Chart Extraction A critical security vulnerability in Helm, the Kubernetes package manager, has been patched in version 3.20.2. The flaw, tracked by a CVE, existed in versions up to and including 3.20.1 and involved a flaw in how Helm processes Chart.yaml files during extraction. Specifically, the vulnerability allowed a maliciously crafted Helm chart to write its contents directly to the immediate output directory instead of the intended, isolated subdirectory when using the `helm pull --untar` command. This behavior opened the door to directory traversal attacks, where an attacker could potentially overwrite or place files in sensitive locations on the filesystem of the system running Helm. The core of the issue was a directory collapse during the untarring process. When a user pulls and untars a chart, the expected behavior is for all chart contents to be contained within a dedicated folder. The vulnerability broke this isolation, allowing chart contents to 'escape' to the parent directory. This type of flaw is a classic vector for supply chain attacks, as a user pulling a compromised chart from a public or untrusted repository could inadvertently compromise their local environment or CI/CD pipeline. The fix in Helm v3.20.2 rectifies the extraction logic to ensure proper directory containment. The update is classified as a patch version upgrade, indicating the maintainers' assessment that it contains only security fixes and no breaking changes. Verification steps for the update, as noted in the source, include successful builds of dependent Go modules and Docker images. For organizations and developers using Helm to manage Kubernetes deployments, this is a high-priority update. The vulnerability underscores the persistent security risks in toolchains that handle external, potentially untrusted artifacts, even from core infrastructure projects like Helm. Immediate upgrade to v3.20.2 is the recommended mitigation to close this directory traversal vector. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: Kubernetes, Supply Chain Security, CVE, DevOps, Open Source - **Credibility**: unverified - **Published**: 2026-04-11 18:22:27 - **ID**: 60195 - **URL**: https://whisperx.ai/en/intel/60195