Code Injection Vulnerability in Gardener Extensions for Multiple Cloud Providers
CVE-2025-59823

9.9CRITICAL

Key Information:

Vendor

Gardener

Status
Gardener-extension-provider-aws
Vendor
CVE Published:
25 September 2025

What is CVE-2025-59823?

A vulnerability exists in Gardener Extensions that could potentially allow a user with administrative privileges to execute code via injection. This flaw specifically affects users of AWS, Azure, OpenStack, and GCP providers with versions below the specified thresholds. By exploiting this issue, an attacker could gain control over critical components of the Kubernetes cluster management system. The vulnerability is particularly concerning for installations using Terraformer for infrastructure provisioning. Updated versions have been released to mitigate this issue.

Affected Version(s)

gardener-extension-provider-aws < 1.64.0 < 1.64.0

gardener-extension-provider-aws < 1.55.0 < 1.55.0

gardener-extension-provider-aws < 1.49.0 < 1.49.0

References

https://github.com/gardener/gardener-extension-provider-a...
x_refsource_CONFIRM
https://github.com/gardener/gardener-extension-provider-a...
x_refsource_MISC
https://github.com/gardener/gardener-extension-provider-a...
x_refsource_MISC

CVSS V3.0

Score:
9.9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-59823 : Code Injection Vulnerability in Gardener Extensions for Multiple Cloud Providers