POC详情: 13c73bac84bd0a138bd0b9de3a28de9f80accfd7

来源
https://github.com/DVKunion/CVE-2025-53547-POC
关联漏洞
标题: Helm 代码注入漏洞 (CVE-2025-53547)
描述:Helm是CNCF基金会的一款Kubernetes包管理器。 Helm 3.18.4之前版本存在代码注入漏洞,该漏洞源于特制的Chart.yaml和Chart.lock文件可能导致本地代码执行。
描述
CVE-2025-53547 one of poc code
介绍
# CVE-2025-53547 POC

this is a poc for CVE-2025-53547

`Chart.lock` links test file to /tmp/1.txt

/tmp/1.txt inject a command that create /tmp/2.txt

In real product enviroment, you can change `Chart.lock` link file to inject any command you want such as:

* /root/.bash_rc
* /root/.bash_profile
* /etc/profile
......

or any can run shell script file.

then change the `Chart.yaml` dependency repository url params to run other command.

## Usage

helm <= 3.18.3


first run

```bash
helm dependency update
```

then you'll find `/tmp/1.txt` 

then run

```bash
bash /tmp/1.txt
```

then you'll find `/tmp/2.txt`


## Reference

https://github.com/helm/helm/security/advisories/GHSA-557j-xg8c-q2mm
https://github.com/helm/helm/compare/v3.18.3...v3.18.4
文件快照

 [4.0K]  /data/pocs/13c73bac84bd0a138bd0b9de3a28de9f80accfd7
├── [  10]  Chart.lock -> /tmp/1.txt
├── [ 423]  Chart.yaml
└── [ 756]  README.md

0 directories, 3 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。