VDB
EN
HIGH

GHSA-q3fv-x8vg-qqm4

Trivy: Helm chart tar bomb causes OOM via unbounded io.ReadAll in parser

상세

## Summary

When Trivy scans a Helm chart archive (`.tgz`), its custom tar unpacker reads each entry with `io.ReadAll(tr)` and no size limit. An attacker who can place a malicious `.tgz` file in the scanned path can craft a small compressed archive that decompresses to gigabytes, causing the Trivy process to be killed by the OS OOM killer.

## Affected configurations

Exploitation requires the attacker to place a crafted `.tgz` file in a location that Trivy will scan as a Helm chart. This applies to the following scan targets:

| Command | Condition | | --- | --- | | `trivy config <dir>` | Directory contains a crafted `.tgz` Helm chart (misconfiguration scanning is always enabled) | | `trivy filesystem --scanners misconf <dir>` | Directory contains a crafted `.tgz` Helm chart **and** `--scanners misconf` is explicitly enabled | | `trivy image --scanners misconf <image>` | Image contains a crafted `.tgz` Helm chart **and** `--scanners misconf` is explicitly enabled |

Realistic scenarios include: - A CI pipeline that runs `trivy config .` on a repository where a contributor can submit a pull request containing a crafted chart archive. - A pipeline that scans a container image with `--scanners misconf`, whose build context includes untrusted `.tgz` files.

## Impact

An attacker who satisfies the conditions above can exhaust all available memory on the host running Trivy. The OS OOM killer will terminate the Trivy process and may affect other processes sharing the same host or CI runner.

The practical impact in CI environments is denial of service: the scan fails, the pipeline is blocked, and repeated submissions re-trigger the same condition. Cloud CI runners may also incur additional costs for consumed resources.

There is no impact on confidentiality or integrity of the scanned system.

## Patches

Fixed in Trivy `v0.71.0` (#10718). The custom tar unpacker was replaced with `archive.LoadArchiveFiles` from the official `helm.sh/helm/v4` SDK, which enforces per-entry and total size limits and validates archive structure. Users should upgrade to `v0.71.0` or later.

## Workarounds

If upgrading is not immediately possible: - Set a memory limit (cgroup/container) on the Trivy process to bound the blast radius. - Use `--skip-dirs` to exclude directories containing untrusted Helm chart archives from the scan. - Avoid scanning repositories or images with untrusted `.tgz` files.

## Credits

Reported by @jamesgol.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

Go / github.com/aquasecurity/trivy
최초 영향 버전: 0 수정 버전: 0.71.0
수정 go get github.com/aquasecurity/trivy@v0.71.0

참고