Nixpkgs security tracker

Untriaged

Permalink CVE-2026-35204

created 5 days, 15 hours ago

Helm has a path traversal in plugin metadata version enables arbitrary file write outside Helm plugin directory

Helm is a package manager for Charts for Kubernetes. From 4.0.0 to 4.1.3, a specially crafted Helm plugin, when installed or updated, will cause Helm to write the contents of the plugin to an arbitrary filesystem location. To prevent this, validate that the plugin.yaml of the Helm plugin does not include a version: field containing POSIX dot-dot path separators ie. "/../". This vulnerability is fixed in 4.1.4.

References

https://github.com/helm/helm/security/advisories/GHSA-vmx8-mqv2-9gmg x_refsource_CONFIRM
https://github.com/helm/helm/commit/36c8539e99bc42d7aef9b87d136254662d04f027 x_refsource_MISC
https://github.com/helm/helm/releases/tag/v4.1.4 x_refsource_MISC

Affected products

helm

==>= 4.0.0, < 4.1.4

Matching in nixpkgs

pkgs.helm

Free, cross-platform, polyphonic synthesizer

nixos-unstable 0.9.0
- nixpkgs-unstable 0.9.0
- nixos-unstable-small 0.9.0
nixos-25.11 0.9.0
- nixos-25.11-small 0.9.0
- nixpkgs-25.11-darwin 0.9.0

pkgs.helm-ls

Language server for Helm

nixos-unstable 0.5.4
- nixpkgs-unstable 0.5.4
- nixos-unstable-small 0.5.4
nixos-25.11 0.4.1
- nixos-25.11-small 0.4.1
- nixpkgs-25.11-darwin 0.4.1

pkgs.helmfile

Declarative spec for deploying Helm charts

nixos-unstable 1.4.3
- nixpkgs-unstable 1.4.3
- nixos-unstable-small 1.4.3
nixos-25.11 1.1.9
- nixos-25.11-small 1.1.9
- nixpkgs-25.11-darwin 1.1.9

pkgs.helmsman

Helm Charts (k8s applications) as Code tool

nixos-unstable 4.0.5
- nixpkgs-unstable 4.0.5
- nixos-unstable-small 4.0.5
nixos-25.11 4.0.1
- nixos-25.11-small 4.0.1
- nixpkgs-25.11-darwin 4.0.1

pkgs.helm-docs

Tool for automatically generating markdown documentation for Helm charts

nixos-unstable 1.14.2
- nixpkgs-unstable 1.14.2
- nixos-unstable-small 1.14.2
nixos-25.11 1.14.2
- nixos-25.11-small 1.14.2
- nixpkgs-25.11-darwin 1.14.2

pkgs.helmholtz

Time domain pitch tracker for Pure Data

nixos-unstable 1.0
- nixpkgs-unstable 1.0
- nixos-unstable-small 1.0
nixos-25.11 -
- nixos-25.11-small
- nixpkgs-25.11-darwin

pkgs.helm-dashboard

Simplified way of working with Helm

nixos-unstable 1.3.3
- nixpkgs-unstable 1.3.3
- nixos-unstable-small 1.3.3
nixos-25.11 1.3.3
- nixos-25.11-small 1.3.3
- nixpkgs-25.11-darwin 1.3.3

pkgs.kubernetes-helm

Package manager for kubernetes

nixos-unstable 3.19.1
- nixpkgs-unstable 3.19.1
- nixos-unstable-small 3.19.1
nixos-25.11 3.19.1
- nixos-25.11-small 3.19.1
- nixpkgs-25.11-darwin 3.19.1

pkgs.helmfile-wrapped

Declarative spec for deploying Helm charts

nixos-unstable 1.4.3
- nixpkgs-unstable 1.4.3
- nixos-unstable-small 1.4.3
nixos-25.11 1.1.9
- nixos-25.11-small 1.1.9
- nixpkgs-25.11-darwin 1.1.9

pkgs.terraform-providers.helm

None

nixos-unstable 3.1.1
- nixpkgs-unstable 3.1.1
- nixos-unstable-small 3.1.1
nixos-25.11 3.1.1
- nixos-25.11-small 3.1.1
- nixpkgs-25.11-darwin 3.1.1

pkgs.kubernetes-helmPlugins.helm-dt

Helm Distribution plugin is is a set of utilities and Helm Plugin for making offline work with Helm Charts easier

nixos-unstable 0.4.12
- nixpkgs-unstable 0.4.12
- nixos-unstable-small 0.4.12
nixos-25.11 0.4.12
- nixos-25.11-small 0.4.12
- nixpkgs-25.11-darwin 0.4.12

pkgs.kubernetes-helmPlugins.helm-s3

Helm plugin that allows to set up a chart repository using AWS S3

nixos-unstable s3-0.17.1
- nixpkgs-unstable s3-0.17.1
- nixos-unstable-small s3-0.17.1
nixos-25.11 s3-0.17.1
- nixos-25.11-small s3-0.17.1
- nixpkgs-25.11-darwin s3-0.17.1

pkgs.kubernetes-helmPlugins.helm-git

Helm downloader plugin that provides GIT protocol support

nixos-unstable 1.5.2
- nixpkgs-unstable 1.5.2
- nixos-unstable-small 1.5.2
nixos-25.11 1.4.1
- nixos-25.11-small 1.4.1
- nixpkgs-25.11-darwin 1.4.1

pkgs.kubernetes-helmPlugins.helm-diff

Helm plugin that shows a diff

nixos-unstable 3.15.4
- nixpkgs-unstable 3.15.4
- nixos-unstable-small 3.15.4
nixos-25.11 3.13.1
- nixos-25.11-small 3.13.1
- nixpkgs-25.11-darwin 3.13.1

pkgs.kubernetes-helmPlugins.helm-schema

Helm plugin for generating values.schema.json from multiple values files

nixos-unstable 2.3.1
- nixpkgs-unstable 2.3.1
- nixos-unstable-small 2.3.1
nixos-25.11 2.3.0
- nixos-25.11-small 2.3.0
- nixpkgs-25.11-darwin 2.3.0

pkgs.terraform-providers.hashicorp_helm

None

nixos-unstable 3.1.1
- nixpkgs-unstable 3.1.1
- nixos-unstable-small 3.1.1
nixos-25.11 3.1.1
- nixos-25.11-small 3.1.1
- nixpkgs-25.11-darwin 3.1.1

pkgs.kubernetes-helmPlugins.helm-cm-push

Helm plugin to push chart package to ChartMuseum

nixos-unstable 0.11.1
- nixpkgs-unstable 0.11.1
- nixos-unstable-small 0.11.1
nixos-25.11 0.10.4
- nixos-25.11-small 0.10.4
- nixpkgs-25.11-darwin 0.10.4

pkgs.kubernetes-helmPlugins.helm-secrets

Helm plugin that helps manage secrets

nixos-unstable 4.6.10
- nixpkgs-unstable 4.6.10
- nixos-unstable-small 4.6.10
nixos-25.11 4.6.10
- nixos-25.11-small 4.6.10
- nixpkgs-25.11-darwin 4.6.10

pkgs.kubernetes-helmPlugins.helm-unittest

BDD styled unit test framework for Kubernetes Helm charts as a Helm plugin

nixos-unstable 1.0.3
- nixpkgs-unstable 1.0.3
- nixos-unstable-small 1.0.3
nixos-25.11 0.7.2
- nixos-25.11-small 0.7.2
- nixpkgs-25.11-darwin 0.7.2

pkgs.kubernetes-helmPlugins.helm-mapkubeapis

Helm plugin which maps deprecated or removed Kubernetes APIs in a release to supported APIs

nixos-unstable 0.6.1
- nixpkgs-unstable 0.6.1
- nixos-unstable-small 0.6.1
nixos-25.11 0.6.1
- nixos-25.11-small 0.6.1
- nixpkgs-25.11-darwin 0.6.1

pkgs.vimPlugins.nvim-treesitter-parsers.helm

None

nixos-unstable 0.0.0+rev=aa71f63
- nixpkgs-unstable 0.0.0+rev=aa71f63
- nixos-unstable-small 0.0.0+rev=aa71f63
nixos-25.11 -
- nixos-25.11-small
- nixpkgs-25.11-darwin

pkgs.vscode-extensions.tim-koehler.helm-intellisense

Extension to help writing Helm-Templates by providing intellisense

nixos-unstable 0.15.0
- nixpkgs-unstable 0.15.0
- nixos-unstable-small 0.15.0
nixos-25.11 0.15.0
- nixos-25.11-small 0.15.0
- nixpkgs-25.11-darwin 0.15.0

pkgs.tree-sitter-grammars.tree-sitter-go-template-helm

Tree-sitter grammar for go-template-helm

nixos-unstable 0-unstable-2026-03-21
- nixpkgs-unstable 0-unstable-2026-03-21
- nixos-unstable-small 0-unstable-2026-03-21

pkgs.python313Packages.tree-sitter-grammars.tree-sitter-go-template-helm

Python bindings for tree-sitter-go-template-helm

nixos-unstable 0+unstable20260321
- nixpkgs-unstable 0+unstable20260321
- nixos-unstable-small 0+unstable20260321

pkgs.python314Packages.tree-sitter-grammars.tree-sitter-go-template-helm

Python bindings for tree-sitter-go-template-helm

nixos-unstable 0+unstable20260321
- nixpkgs-unstable 0+unstable20260321
- nixos-unstable-small 0+unstable20260321

Package maintainers

@Bot-wxt1221 Bot-wxt1221 <3264117476@qq.com>
@magnetophon Bart Brouns <bart@magnetophon.nl>
@qjoly Quentin JOLY <github@une-pause-cafe.fr>
@sagikazarmark Mark Sagi-Kazar <mark.sagikazar@gmail.com>
@stehessel Stephan Heßelmann <stephan@stehessel.de>
@kliu128 Kevin Liu <kevin@potatofrom.space>
@yurrriq Eric Bailey <eric@ericb.me>
@sarcasticadmin Robert James Hernandez <rob@sarcasticadmin.com>
@Lynty Lynn Dong <ltdong93+nix@gmail.com>
@saschagrunert Sascha Grunert <mail@saschagrunert.de>
@Chili-Man Diego Rodriguez <dr.elhombrechile@gmail.com>
@Frostman Sergei Lukianov <me@slukjanov.name>
@edude03 Michael Francis <michael@melenion.com>
@techknowlogick techknowlogick <techknowlogick@gitea.com>
@rlupton20 Richard Lupton <richard.lupton@gmail.com>
@a1994sc Allen Conlon <software@conlon.dev>
@flokli Florian Klink <flokli@flokli.de>
@aos aos <n@aos.sh>
@applejag Kalle Fagerberg <applejag.luminance905@passmail.com>
@mightyiam Shahar "Dawn" Or <mightyiampresence@gmail.com>
@stepbrobd Yifei Sun <ysun@hey.com>
@A-jay98 Ali Jamadi <ali@jamadi.me>
@adfaure Adrien Faure <adfaure@pm.me>
@azahi Azat Bahawi <azat@bahawi.net>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.helm

pkgs.helm-ls

pkgs.helmfile

pkgs.helmsman

pkgs.helm-docs

pkgs.helmholtz

pkgs.helm-dashboard

pkgs.kubernetes-helm

pkgs.helmfile-wrapped

pkgs.terraform-providers.helm

pkgs.kubernetes-helmPlugins.helm-dt

pkgs.kubernetes-helmPlugins.helm-s3

pkgs.kubernetes-helmPlugins.helm-git

pkgs.kubernetes-helmPlugins.helm-diff

pkgs.kubernetes-helmPlugins.helm-schema

pkgs.terraform-providers.hashicorp_helm

pkgs.kubernetes-helmPlugins.helm-cm-push

pkgs.kubernetes-helmPlugins.helm-secrets

pkgs.kubernetes-helmPlugins.helm-unittest

pkgs.kubernetes-helmPlugins.helm-mapkubeapis

pkgs.vimPlugins.nvim-treesitter-parsers.helm

pkgs.vscode-extensions.tim-koehler.helm-intellisense

pkgs.tree-sitter-grammars.tree-sitter-go-template-helm

pkgs.python313Packages.tree-sitter-grammars.tree-sitter-go-template-helm

pkgs.python314Packages.tree-sitter-grammars.tree-sitter-go-template-helm

Package maintainers