Privilege Escalation Vulnerability in gardenctl by Gardener
CVE-2025-67508

8HIGH

Key Information:

Vendor: Gardener
Status: Gardenctl-v2
Vendor: CVE Published:; 12 December 2025

What is CVE-2025-67508?

The gardenctl command-line client, used for managing Gardener project access and cloud provider CLI tools, has a vulnerability affecting versions 2.11.0 and earlier. In non-POSIX shell environments, such as Fish and PowerShell, attackers with administrative privileges can inject malicious credential values. This manipulation can lead to the creation of infrastructure Secret objects that escape the designated string context when evaluated, compromising the security of the Gardener service operators. The issue has been addressed in version 2.12.0.

Affected Version(s)

gardenctl-v2 < 2.12.0

References

https://github.com/gardener/gardenctl-v2/security/advisor...

x_refsource_CONFIRM

CVSS V3.0

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 12, 2025
Vulnerability Reserved
Dec 8, 2025

JSON