Summary
When Trivy scans a Helm chart archive (.tgz), its custom tar unpacker reads each entry with io.ReadAll(tr) and no size limit. An attacker who can place a malicious .tgz file in the scanned path can craft a small compressed archive that decompresses to gigabytes, causing the Trivy process to be killed by the OS OOM killer.
Affected configurations
Exploitation requires the attacker to place a crafted .tgz file in a location that Trivy will scan as a Helm chart. This applies to the following scan targets:
| Command |
Condition |
trivy config <dir> |
Directory contains a crafted .tgz Helm chart (misconfiguration scanning is always enabled) |
trivy filesystem --scanners misconf <dir> |
Directory contains a crafted .tgz Helm chart and --scanners misconf is explicitly enabled |
trivy image --scanners misconf <image> |
Image contains a crafted .tgz Helm chart and --scanners misconf is explicitly enabled |
Realistic scenarios include:
- A CI pipeline that runs
trivy config . on a repository where a contributor can submit a pull request containing a crafted chart archive.
- A pipeline that scans a container image with
--scanners misconf, whose build context includes untrusted .tgz files.
Impact
An attacker who satisfies the conditions above can exhaust all available memory on the host running Trivy. The OS OOM killer will terminate the Trivy process and may affect other processes sharing the same host or CI runner.
The practical impact in CI environments is denial of service: the scan fails, the pipeline is blocked, and repeated submissions re-trigger the same condition. Cloud CI runners may also incur additional costs for consumed resources.
There is no impact on confidentiality or integrity of the scanned system.
Patches
Fixed in Trivy v0.71.0 (#10718). The custom tar unpacker was replaced with archive.LoadArchiveFiles from the official helm.sh/helm/v4 SDK, which enforces per-entry and total size limits and validates archive structure. Users should upgrade to v0.71.0 or later.
Workarounds
If upgrading is not immediately possible:
- Set a memory limit (cgroup/container) on the Trivy process to bound the blast radius.
- Use
--skip-dirs to exclude directories containing untrusted Helm chart archives from the scan.
- Avoid scanning repositories or images with untrusted
.tgz files.
Credits
Reported by @jamesgol.
References
Summary
When Trivy scans a Helm chart archive (
.tgz), its custom tar unpacker reads each entry withio.ReadAll(tr)and no size limit. An attacker who can place a malicious.tgzfile in the scanned path can craft a small compressed archive that decompresses to gigabytes, causing the Trivy process to be killed by the OS OOM killer.Affected configurations
Exploitation requires the attacker to place a crafted
.tgzfile in a location that Trivy will scan as a Helm chart. This applies to the following scan targets:trivy config <dir>.tgzHelm chart (misconfiguration scanning is always enabled)trivy filesystem --scanners misconf <dir>.tgzHelm chart and--scanners misconfis explicitly enabledtrivy image --scanners misconf <image>.tgzHelm chart and--scanners misconfis explicitly enabledRealistic scenarios include:
trivy config .on a repository where a contributor can submit a pull request containing a crafted chart archive.--scanners misconf, whose build context includes untrusted.tgzfiles.Impact
An attacker who satisfies the conditions above can exhaust all available memory on the host running Trivy. The OS OOM killer will terminate the Trivy process and may affect other processes sharing the same host or CI runner.
The practical impact in CI environments is denial of service: the scan fails, the pipeline is blocked, and repeated submissions re-trigger the same condition. Cloud CI runners may also incur additional costs for consumed resources.
There is no impact on confidentiality or integrity of the scanned system.
Patches
Fixed in Trivy
v0.71.0(#10718). The custom tar unpacker was replaced witharchive.LoadArchiveFilesfrom the officialhelm.sh/helm/v4SDK, which enforces per-entry and total size limits and validates archive structure. Users should upgrade tov0.71.0or later.Workarounds
If upgrading is not immediately possible:
--skip-dirsto exclude directories containing untrusted Helm chart archives from the scan..tgzfiles.Credits
Reported by @jamesgol.
References