CVE-2025-67508

Name of the Vulnerable Software and Affected Versions gardenctl versions 2.11.0 and below

Description gardenctl is a command-line client for Gardener, used for configuring access to clusters and cloud provider CLI tools. When used with non-POSIX shells like Fish and PowerShell, versions 2.11.0 and below allow an attacker with administrative privileges for a Gardener project to create malicious credential values. These values are placed in infrastructure Secret objects and can break out of the intended string context when evaluated in Fish or PowerShell environments used by Gardener service operators. The issue involves the manipulation of credential values within Secret objects, potentially leading to unauthorized actions.

Recommendations Update to gardenctl version 2.12.0 or later.