Login Sign Up

CVE-2025-59823

9.9 CRITICAL

📋 TL;DR

This CVE describes a code injection vulnerability in Gardener Extensions for AWS, Azure, OpenStack, and GCP providers that allows administrative users of a Gardener project to potentially gain control over the seed cluster managing shoot clusters. The vulnerability affects all Gardener installations using Terraformer for infrastructure provisioning with affected components. Attackers could escalate privileges from project administrator to seed cluster control.

💻 Affected Systems

Products:
  • Gardener Extensions for AWS providers
  • Gardener Extensions for Azure providers
  • Gardener Extensions for OpenStack providers
  • Gardener Extensions for GCP providers
Versions: AWS providers prior to 1.64.0, Azure providers prior to 1.55.0, OpenStack providers prior to 1.49.0, GCP providers prior to 1.46.0
Operating Systems: Any OS running Gardener
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations where Terraformer is used or can be enabled for infrastructure provisioning with affected components.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the seed cluster, allowing attacker to control all managed Kubernetes clusters, exfiltrate sensitive data, deploy malicious workloads, and potentially pivot to other infrastructure.

🟠

Likely Case

Privileged project administrator exploits the vulnerability to gain unauthorized access to seed cluster resources, potentially compromising multiple managed clusters within the same project.

🟢

If Mitigated

Limited impact due to proper access controls, network segmentation, and monitoring that detects unusual administrative activities.

🌐 Internet-Facing: MEDIUM - While exploitation requires administrative privileges, internet-facing Gardener dashboards or APIs could be targeted through compromised credentials or session hijacking.
🏢 Internal Only: HIGH - Internal administrators with legitimate access could exploit this vulnerability for privilege escalation, making insider threats a significant concern.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires administrative privileges for a Gardener project and knowledge of the specific code injection vectors in Terraformer configurations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: AWS providers 1.64.0+, Azure providers 1.55.0+, OpenStack providers 1.49.0+, GCP providers 1.46.0+

Vendor Advisory: https://github.com/gardener/gardener-extension-provider-aws/security/advisories/GHSA-227x-7mh8-3cf6

Restart Required: Yes

Instructions:

1. Identify affected Gardener extensions in your environment. 2. Update each extension to the patched version using your deployment method (Helm, kubectl apply, etc.). 3. Restart the Gardener control plane components. 4. Verify all extensions are running patched versions.

🔧 Temporary Workarounds

Disable Terraformer for infrastructure provisioning

all

Temporarily disable Terraformer usage in affected Gardener extensions to prevent exploitation until patching is complete.

kubectl edit deployment -n gardener-extension-provider-<provider> <deployment-name>
Set terraformer.enabled: false in configuration

Restrict administrative access

all

Tighten access controls for Gardener project administrators and implement just-in-time access with approval workflows.

🧯 If You Can't Patch

  • Implement strict network segmentation between project namespaces and seed cluster components
  • Enhance monitoring and alerting for unusual administrative activities in Gardener control plane

🔍 How to Verify

Check if Vulnerable:

Check Gardener extension versions using kubectl: kubectl get pods -n gardener-extension-provider-* -o jsonpath='{.spec.containers[*].image}' | grep -E 'aws|azure|openstack|gcp'

Check Version:

kubectl describe deployment -n gardener-extension-provider-<provider> <deployment-name> | grep Image

Verify Fix Applied:

Confirm all extensions show patched versions: AWS >=1.64.0, Azure >=1.55.0, OpenStack >=1.49.0, GCP >=1.46.0

📡 Detection & Monitoring

Log Indicators:

  • Unusual Terraformer execution patterns
  • Unexpected configuration changes in Gardener extensions
  • Administrative actions from unusual sources or times

Network Indicators:

  • Unexpected connections from project namespaces to seed cluster control plane components
  • Suspicious API calls to Gardener extension endpoints

SIEM Query:

source="gardener-logs" AND ("terraformer" OR "extension-provider") AND ("execution" OR "injection" OR "unexpected")

📊 Metadata

CVE ID: CVE-2025-59823
CVSS v3 Score: 9.9 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-94
EPSS Score: 0.13% exploit probability (32th percentile)
Published: September 25, 2025
Last Updated: September 26, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-59823, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)