Charting your way in Helm template injection

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://synacktiv.com/en/publications/charting-your-way-in-helm-template-injection.html
• Blog Title: Charting your way in: Helm template injection
• Suggested Section: Pentesting Cloud -> Kubernetes Pentesting -> Kubernetes Enumeration/Attacks or a new page under Kubernetes Pentesting titled 'Helm Template Injection / YAML Injection'; also cross-reference from Pentesting CI/CD/GitOps if an ArgoCD section exists or is added

🎯 Content Summary

The blog post describes a Helm template injection / YAML injection vulnerability discovered during a Kubernetes audit where Helm charts were applied through ArgoCD. There is no CVE assigned. The core issue is that attacker-controlled values from values.yaml are inserted into Kubernetes YAML manifests through .Values without proper escaping, type coercion, or validation. In GitOps setups this is especially dangerous because administrators may allow devel...

🔧 Technical Details

Helm .Values YAML injection: If a Helm chart inserts user-controlled values directly into YAML, for example replicas: {{ .Values.replicaCount }}, Helm does not automatically escape the value as a YAML scalar. An attacker who controls values.yaml can use a YAML block scalar such as | to create multiline input and inject additional keys at the correct indentation level. A value intended to be 3 can become 3 followed by an injected YAML attribute, causing Helm to render extra fields into the Kubernetes manifest.

Quoted context breakout: If the vulnerable value is inside a quoted string, the attacker can close the quote, inject YAML fields, and restore a valid YAML context. Exploitation depends on indentation and YAML parsing behavior. With |, a trailing newline is appended and may be normalized by Kubernetes into a space. With |-, the attacker can remove the ...

🤖 Agent Actions

Continued the run and re-opened the exact modified content plus the references tail.

Confirmed again:

• The inserted Helm/YAML injection section is present as expected
• The ## References section includes the Synacktiv blog and relevant official docs
• Git status still shows only:
  • M src/pentesting-cloud/kubernetes-security/kubernetes-basics.md
• Diff still shows:
  • 1 file changed, 76 insertions(+)

Still not giving the final answer yet, per your instruction.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

📚 Repository Maintenance

• MD files processed: 588
• MD files fixed: 1

All .md files have been checked for proper formatting (headers, includes, etc.).

[carlospolop]

🔗 Additional Context

Original Blog Post: https://synacktiv.com/en/publications/charting-your-way-in-helm-template-injection.html

Content Categories: Based on the analysis, this content was categorized under "Pentesting Cloud -> Kubernetes Pentesting -> Kubernetes Enumeration/Attacks or a new page under Kubernetes Pentesting titled 'Helm Template Injection / YAML Injection'; also cross-reference from Pentesting CI/CD/GitOps if an ArgoCD section exists or is added".

Repository Maintenance:

• MD Files Formatting: 588 files processed (1 files fixed)

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0