Helm, the package manager for Kubernetes, has recently received a new update that addresses a security vulnerability known as CVE-2025-32387. The vulnerability, a stack overflow caused by deeply nested references within a JSON Schema file of a Helm Chart, has been resolved with the release of Helm v3.17.3.
In this post, we will delve into the details of this issue, discussing how it can be exploited, and reviewing the changes implemented in Helm v3.17.3 to mitigate this vulnerability.
Helm and Kubernetes Charts
Helm is an essential tool for the Kubernetes ecosystem, simplifying the deployment and management of Kubernetes applications through the use of "Charts." A Chart is a collection of files, including templates, default configurations, and metadata, that provides a standard way of packaging and deploying Kubernetes applications.
The CVE-2025-32387 Vulnerability
The issue at the heart of CVE-2025-32387 involves JSON Schema files within a Helm Chart. A malicious actor can craft a JSON Schema with an excessive number of nested references, causing a Helm parser to recurse beyond the stack size limit and trigger a stack overflow.
To understand how this vulnerability can be exploited, consider the following example
{
"$schema": "http://json-schema.org/draft-07/schema#";,
"type": "object",
"additionalProperties": false,
"properties": {
"maliciousProp": {
"$ref": "#/definitions/recursiveRef"
}
},
"definitions": {
"recursiveRef": {
"anyOf": [
{"$ref": "#/definitions/recursiveRef"}
]
}
}
}
In this example, the maliciousProp property contains a reference to the recursiveRef definition. This definition, in turn, includes an anyOf array with a single element: a reference to itself. Thus, when Helm attempts to parse this JSON Schema, it will endlessly recurse, leading to a stack overflow and a crash.
Mitigating CVE-2025-32387
The Helm project has released v3.17.3 to address this vulnerability. This patch introduces limits to the depth of reference chaining in JSON Schema parsing, preventing the occurrence of stack overflows in this context.
The following code snippet illustrates this limit enforcement, as seen in Helm's source code:
func resolveRef(value interface{}, depth int) (interface{}, error) {
if depth > maxJSONSchemaResolveDepth {
return nil, fmt.Errorf("exceeded maximum JSON Schema resolve depth (%d)", maxJSONSchemaResolveDepth)
}
// ...
}
This solution checks the depth of JSON references during parsing, returning an error and aborting if the depth exceeds the defined maxJSONSchemaResolveDepth. This prevents exploitation of the vulnerability by limiting the extent to which Helm will follow nested references.
Upgrade to Helm v3.17.3
To protect yourself from this vulnerability, it's crucial to update your Helm installation to version 3.17.3 or newer. You can find the latest release and installation instructions on the official Helm GitHub repository.
Additionally, always be cautious when installing and using Helm Charts from untrusted sources. Make sure to validate and review any Chart before deploying it in your Kubernetes environment.
Conclusion
CVE-2025-32387 highlights the potential security risks posed by excessive recursion in JSON Schema files within a Helm Chart. By understanding the vulnerability, and by updating to Helm v3.17.3, users can safely deploy and manage their Kubernetes applications, while avoiding any stack overflow issues from malicious JSON Schemas.
Timeline
Published on: 04/09/2025 23:15:37 UTC
Last modified on: 04/11/2025 15:40:10 UTC