CVE-2025-59823: Gardener provider extensions vulnerable to code injection when Terraform is used for infrastructure provisioning
(updated )
A security vulnerability was discovered in Gardener when Terraformer is used for infrastructure provisioning. This vulnerability could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster where the shoot cluster is managed.
This CVE affects all Gardener installations where Terraformer is used/can be enabled for infrastructure provisioning with any of the affected components mentioned below.
References
- github.com/advisories/GHSA-227x-7mh8-3cf6
- github.com/gardener/gardener-extension-provider-aws
- github.com/gardener/gardener-extension-provider-aws/commit/cb5045fc146248296994804bbfe27bd896938bf2
- github.com/gardener/gardener-extension-provider-aws/releases/tag/v1.64.0
- github.com/gardener/gardener-extension-provider-aws/security/advisories/GHSA-227x-7mh8-3cf6
- github.com/gardener/gardener-extension-provider-azure/commit/4573a4404969f89781ed6cf72e90554bc6ae2020
- github.com/gardener/gardener-extension-provider-azure/releases/tag/v1.55.0
- github.com/gardener/gardener-extension-provider-gcp/commit/51111b4f60c33c60dfdf18b1fc50f7ec8d8f70ac
- github.com/gardener/gardener-extension-provider-gcp/releases/tag/v1.46.0
- github.com/gardener/gardener-extension-provider-openstack/commit/2ed6f0fe1be90fbef5d6093eb0b8325c8421b8d8
- github.com/gardener/gardener-extension-provider-openstack/releases/tag/v1.49.0
- nvd.nist.gov/vuln/detail/CVE-2025-59823
Code Behaviors & Features
Detect and mitigate CVE-2025-59823 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →