Nixpkgs security tracker

Untriaged

Permalink CVE-2026-35206

created 5 days, 15 hours ago

Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment

Helm is a package manager for Charts for Kubernetes. In Helm versions <=3.20.1 and <=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart's contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart's name. This vulnerability is fixed in 3.20.2 and 4.1.4.

References

https://github.com/helm/helm/security/advisories/GHSA-hr2v-4r36-88hr x_refsource_CONFIRM
https://github.com/helm/helm/commit/4e7994d4467182f535b6797c94b5b0e994a91436 x_refsource_MISC
https://github.com/helm/helm/releases/tag/v4.1.4 x_refsource_MISC

Affected products

helm

==>= 4.0.0, < 4.1.4
==< 3.20.2

Matching in nixpkgs

pkgs.helm

Free, cross-platform, polyphonic synthesizer

nixos-unstable 0.9.0
- nixpkgs-unstable 0.9.0
- nixos-unstable-small 0.9.0
nixos-25.11 0.9.0
- nixos-25.11-small 0.9.0
- nixpkgs-25.11-darwin 0.9.0

pkgs.helm-ls

Language server for Helm

nixos-unstable 0.5.4
- nixpkgs-unstable 0.5.4
- nixos-unstable-small 0.5.4
nixos-25.11 0.4.1
- nixos-25.11-small 0.4.1
- nixpkgs-25.11-darwin 0.4.1

pkgs.helmfile

Declarative spec for deploying Helm charts

nixos-unstable 1.4.3
- nixpkgs-unstable 1.4.3
- nixos-unstable-small 1.4.3
nixos-25.11 1.1.9
- nixos-25.11-small 1.1.9
- nixpkgs-25.11-darwin 1.1.9

pkgs.helmsman

Helm Charts (k8s applications) as Code tool

nixos-unstable 4.0.5
- nixpkgs-unstable 4.0.5
- nixos-unstable-small 4.0.5
nixos-25.11 4.0.1
- nixos-25.11-small 4.0.1
- nixpkgs-25.11-darwin 4.0.1

pkgs.helm-docs

Tool for automatically generating markdown documentation for Helm charts

nixos-unstable 1.14.2
- nixpkgs-unstable 1.14.2
- nixos-unstable-small 1.14.2
nixos-25.11 1.14.2
- nixos-25.11-small 1.14.2
- nixpkgs-25.11-darwin 1.14.2

pkgs.helmholtz

Time domain pitch tracker for Pure Data

nixos-unstable 1.0
- nixpkgs-unstable 1.0
- nixos-unstable-small 1.0
nixos-25.11 -
- nixos-25.11-small
- nixpkgs-25.11-darwin

pkgs.helm-dashboard

Simplified way of working with Helm

nixos-unstable 1.3.3
- nixpkgs-unstable 1.3.3
- nixos-unstable-small 1.3.3
nixos-25.11 1.3.3
- nixos-25.11-small 1.3.3
- nixpkgs-25.11-darwin 1.3.3

pkgs.kubernetes-helm

Package manager for kubernetes

nixos-unstable 3.19.1
- nixpkgs-unstable 3.19.1
- nixos-unstable-small 3.19.1
nixos-25.11 3.19.1
- nixos-25.11-small 3.19.1
- nixpkgs-25.11-darwin 3.19.1

pkgs.helmfile-wrapped

Declarative spec for deploying Helm charts

nixos-unstable 1.4.3
- nixpkgs-unstable 1.4.3
- nixos-unstable-small 1.4.3
nixos-25.11 1.1.9
- nixos-25.11-small 1.1.9
- nixpkgs-25.11-darwin 1.1.9

pkgs.terraform-providers.helm

None

nixos-unstable 3.1.1
- nixpkgs-unstable 3.1.1
- nixos-unstable-small 3.1.1
nixos-25.11 3.1.1
- nixos-25.11-small 3.1.1
- nixpkgs-25.11-darwin 3.1.1

pkgs.kubernetes-helmPlugins.helm-dt

Helm Distribution plugin is is a set of utilities and Helm Plugin for making offline work with Helm Charts easier

nixos-unstable 0.4.12
- nixpkgs-unstable 0.4.12
- nixos-unstable-small 0.4.12
nixos-25.11 0.4.12
- nixos-25.11-small 0.4.12
- nixpkgs-25.11-darwin 0.4.12

pkgs.kubernetes-helmPlugins.helm-s3

Helm plugin that allows to set up a chart repository using AWS S3

nixos-unstable s3-0.17.1
- nixpkgs-unstable s3-0.17.1
- nixos-unstable-small s3-0.17.1
nixos-25.11 s3-0.17.1
- nixos-25.11-small s3-0.17.1
- nixpkgs-25.11-darwin s3-0.17.1

pkgs.kubernetes-helmPlugins.helm-git

Helm downloader plugin that provides GIT protocol support

nixos-unstable 1.5.2
- nixpkgs-unstable 1.5.2
- nixos-unstable-small 1.5.2
nixos-25.11 1.4.1
- nixos-25.11-small 1.4.1
- nixpkgs-25.11-darwin 1.4.1

pkgs.kubernetes-helmPlugins.helm-diff

Helm plugin that shows a diff

nixos-unstable 3.15.4
- nixpkgs-unstable 3.15.4
- nixos-unstable-small 3.15.4
nixos-25.11 3.13.1
- nixos-25.11-small 3.13.1
- nixpkgs-25.11-darwin 3.13.1

pkgs.kubernetes-helmPlugins.helm-schema

Helm plugin for generating values.schema.json from multiple values files

nixos-unstable 2.3.1
- nixpkgs-unstable 2.3.1
- nixos-unstable-small 2.3.1
nixos-25.11 2.3.0
- nixos-25.11-small 2.3.0
- nixpkgs-25.11-darwin 2.3.0

pkgs.terraform-providers.hashicorp_helm

None

nixos-unstable 3.1.1
- nixpkgs-unstable 3.1.1
- nixos-unstable-small 3.1.1
nixos-25.11 3.1.1
- nixos-25.11-small 3.1.1
- nixpkgs-25.11-darwin 3.1.1

pkgs.kubernetes-helmPlugins.helm-cm-push

Helm plugin to push chart package to ChartMuseum

nixos-unstable 0.11.1
- nixpkgs-unstable 0.11.1
- nixos-unstable-small 0.11.1
nixos-25.11 0.10.4
- nixos-25.11-small 0.10.4
- nixpkgs-25.11-darwin 0.10.4

pkgs.kubernetes-helmPlugins.helm-secrets

Helm plugin that helps manage secrets

nixos-unstable 4.6.10
- nixpkgs-unstable 4.6.10
- nixos-unstable-small 4.6.10
nixos-25.11 4.6.10
- nixos-25.11-small 4.6.10
- nixpkgs-25.11-darwin 4.6.10

pkgs.kubernetes-helmPlugins.helm-unittest

BDD styled unit test framework for Kubernetes Helm charts as a Helm plugin

nixos-unstable 1.0.3
- nixpkgs-unstable 1.0.3
- nixos-unstable-small 1.0.3
nixos-25.11 0.7.2
- nixos-25.11-small 0.7.2
- nixpkgs-25.11-darwin 0.7.2

pkgs.kubernetes-helmPlugins.helm-mapkubeapis

Helm plugin which maps deprecated or removed Kubernetes APIs in a release to supported APIs

nixos-unstable 0.6.1
- nixpkgs-unstable 0.6.1
- nixos-unstable-small 0.6.1
nixos-25.11 0.6.1
- nixos-25.11-small 0.6.1
- nixpkgs-25.11-darwin 0.6.1

pkgs.vimPlugins.nvim-treesitter-parsers.helm

None

nixos-unstable 0.0.0+rev=aa71f63
- nixpkgs-unstable 0.0.0+rev=aa71f63
- nixos-unstable-small 0.0.0+rev=aa71f63
nixos-25.11 -
- nixos-25.11-small
- nixpkgs-25.11-darwin

pkgs.vscode-extensions.tim-koehler.helm-intellisense

Extension to help writing Helm-Templates by providing intellisense

nixos-unstable 0.15.0
- nixpkgs-unstable 0.15.0
- nixos-unstable-small 0.15.0
nixos-25.11 0.15.0
- nixos-25.11-small 0.15.0
- nixpkgs-25.11-darwin 0.15.0

pkgs.tree-sitter-grammars.tree-sitter-go-template-helm

Tree-sitter grammar for go-template-helm

nixos-unstable 0-unstable-2026-03-21
- nixpkgs-unstable 0-unstable-2026-03-21
- nixos-unstable-small 0-unstable-2026-03-21

pkgs.python313Packages.tree-sitter-grammars.tree-sitter-go-template-helm

Python bindings for tree-sitter-go-template-helm

nixos-unstable 0+unstable20260321
- nixpkgs-unstable 0+unstable20260321
- nixos-unstable-small 0+unstable20260321

pkgs.python314Packages.tree-sitter-grammars.tree-sitter-go-template-helm

Python bindings for tree-sitter-go-template-helm

nixos-unstable 0+unstable20260321
- nixpkgs-unstable 0+unstable20260321
- nixos-unstable-small 0+unstable20260321

Package maintainers

@Bot-wxt1221 Bot-wxt1221 <3264117476@qq.com>
@magnetophon Bart Brouns <bart@magnetophon.nl>
@qjoly Quentin JOLY <github@une-pause-cafe.fr>
@sagikazarmark Mark Sagi-Kazar <mark.sagikazar@gmail.com>
@stehessel Stephan Heßelmann <stephan@stehessel.de>
@kliu128 Kevin Liu <kevin@potatofrom.space>
@yurrriq Eric Bailey <eric@ericb.me>
@sarcasticadmin Robert James Hernandez <rob@sarcasticadmin.com>
@Lynty Lynn Dong <ltdong93+nix@gmail.com>
@saschagrunert Sascha Grunert <mail@saschagrunert.de>
@Chili-Man Diego Rodriguez <dr.elhombrechile@gmail.com>
@Frostman Sergei Lukianov <me@slukjanov.name>
@edude03 Michael Francis <michael@melenion.com>
@techknowlogick techknowlogick <techknowlogick@gitea.com>
@rlupton20 Richard Lupton <richard.lupton@gmail.com>
@a1994sc Allen Conlon <software@conlon.dev>
@flokli Florian Klink <flokli@flokli.de>
@aos aos <n@aos.sh>
@applejag Kalle Fagerberg <applejag.luminance905@passmail.com>
@mightyiam Shahar "Dawn" Or <mightyiampresence@gmail.com>
@stepbrobd Yifei Sun <ysun@hey.com>
@A-jay98 Ali Jamadi <ali@jamadi.me>
@adfaure Adrien Faure <adfaure@pm.me>
@azahi Azat Bahawi <azat@bahawi.net>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.helm

pkgs.helm-ls

pkgs.helmfile

pkgs.helmsman

pkgs.helm-docs

pkgs.helmholtz

pkgs.helm-dashboard

pkgs.kubernetes-helm

pkgs.helmfile-wrapped

pkgs.terraform-providers.helm

pkgs.kubernetes-helmPlugins.helm-dt

pkgs.kubernetes-helmPlugins.helm-s3

pkgs.kubernetes-helmPlugins.helm-git

pkgs.kubernetes-helmPlugins.helm-diff

pkgs.kubernetes-helmPlugins.helm-schema

pkgs.terraform-providers.hashicorp_helm

pkgs.kubernetes-helmPlugins.helm-cm-push

pkgs.kubernetes-helmPlugins.helm-secrets

pkgs.kubernetes-helmPlugins.helm-unittest

pkgs.kubernetes-helmPlugins.helm-mapkubeapis

pkgs.vimPlugins.nvim-treesitter-parsers.helm

pkgs.vscode-extensions.tim-koehler.helm-intellisense

pkgs.tree-sitter-grammars.tree-sitter-go-template-helm

pkgs.python313Packages.tree-sitter-grammars.tree-sitter-go-template-helm

pkgs.python314Packages.tree-sitter-grammars.tree-sitter-go-template-helm

Package maintainers