Insecure functionality In helm.sh/helm/v4
Description
Helm's plugin verification fails open when .prov is missing, allowing unsigned plugin install
Helm is a package manager for Charts for Kubernetes. In Helm versions >=4.0.0 and <=4.1.3, Helm will install plugins missing provenance (.prov file) when signature verification is required.
Impact
The bug allows plugin authors to omit provenance (signing) data from plugins, bypassing plugin signature verification upon plugin install/update.
Notably, plugin hooks will be executed as designed on the installed plugin, enabling a malicious plugin to execute arbitrary code.
Patches
This issue has been patched in Helm v4.1.4
Installing/updating a plugin with missing provenance will error if signature verification is required.
Workarounds
Users may manually validate that a plugin archive is not missing provenance data (.prov file) before installation.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 go | 4.1.4 |
Aliases
References