Project Gardener implements the automated management and operation of Kubernetes clusters as a service. Code injection may be possible in Gardener Extensions for AWS providers prior to version 1.64.0, Azure providers prior to version 1.55.0, OpenStack providers prior to version 1.49.0, and GCP providers prior to version 1.46.0. This vulnerability could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster where the shoot cluster is managed. This affects all Gardener installations where Terraformer is used/can be enabled for infrastructure provisioning with any of the affected components. This issue has been patched in Gardener Extensions for AWS providers version 1.64.0, Azure providers version 1.55.0, OpenStack providers version 1.49.0, and GCP providers version 1.46.0.

Metrics

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

No data.

No data.

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
https://github.com/gardener/gardener-extension-provider-aws/releases/tag/v1.64.0 cve-icon cve-icon
https://github.com/gardener/gardener-extension-provider-aws/security/advisories/GHSA-227x-7mh8-3cf6 cve-icon cve-icon
https://github.com/gardener/gardener-extension-provider-azure/releases/tag/v1.55.0 cve-icon cve-icon
https://github.com/gardener/gardener-extension-provider-gcp/releases/tag/v1.46.0 cve-icon cve-icon
https://github.com/gardener/gardener-extension-provider-openstack/releases/tag/v1.49.0 cve-icon cve-icon
History

Thu, 25 Sep 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 25 Sep 2025 14:30:00 +0000

Type Values Removed Values Added
Description Project Gardener implements the automated management and operation of Kubernetes clusters as a service. Code injection may be possible in Gardener Extensions for AWS providers prior to version 1.64.0, Azure providers prior to version 1.55.0, OpenStack providers prior to version 1.49.0, and GCP providers prior to version 1.46.0. This vulnerability could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster where the shoot cluster is managed. This affects all Gardener installations where Terraformer is used/can be enabled for infrastructure provisioning with any of the affected components. This issue has been patched in Gardener Extensions for AWS providers version 1.64.0, Azure providers version 1.55.0, OpenStack providers version 1.49.0, and GCP providers version 1.46.0.
Title Gardner providers vulnerable to code injection when Terraformer is used for infrastructure provisioning
Weaknesses CWE-94
References
Metrics cvssV3_0

{'score': 9.9, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2025-09-25T18:55:06.669Z

Reserved: 2025-09-22T14:34:03.470Z

Link: CVE-2025-59823

cve-icon Vulnrichment

Updated: 2025-09-25T18:54:41.401Z

cve-icon NVD

Status : Received

Published: 2025-09-25T15:16:13.560

Modified: 2025-09-25T15:16:13.560

Link: CVE-2025-59823

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.