PT-2025-39386 · Google+4 · Gcp Providers+5

Published

2025-09-25

·

Updated

2025-10-27

·

CVE-2025-59823

CVSS v3.1

9.9

Critical

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Project Gardener versions prior to 1.64.0 (AWS providers) Project Gardener versions prior to 1.55.0 (Azure providers) Project Gardener versions prior to 1.49.0 (OpenStack providers) Project Gardener versions prior to 1.46.0 (GCP providers)
Description Project Gardener, a system for automated Kubernetes cluster management, may allow code injection in its extensions for AWS, Azure, OpenStack, and GCP providers. This could allow a user with administrative privileges for a Gardener project to gain control over the seed cluster managing the shoot cluster. The issue affects Gardener installations utilizing Terraformer for infrastructure provisioning with any of the affected components.
Recommendations Update Gardener Extensions for AWS providers to version 1.64.0 or later. Update Gardener Extensions for Azure providers to version 1.55.0 or later. Update Gardener Extensions for OpenStack providers to version 1.49.0 or later. Update Gardener Extensions for GCP providers to version 1.46.0 or later.

Exploit

Fix

RCE

Code Injection

Weakness Enumeration

CWE-20CWE-94

Related Identifiers

BDU:2026-00668
CVE-2025-59823
GHSA-227X-7MH8-3CF6
GO-2025-3981
OPENSUSE-SU-2025:15666-1
SUSE-SU-2025:3799-1

Affected Products

Aws Providers
Azure Providers
Gcp Providers
Openstack Providers
Project Gardener
Terraformer