CVE-2025-67508: Vulnerability discovered in gardenctl versions < v2.12.0

A security vulnerability was recently discovered for [gardenctl](https://github.com/gardener/gardenctl-v2) when it is used with non‑POSIX shells such as **[Fish](https://fishshell.com/)** and **[PowerShell](https://learn.microsoft.com/en-us/powershell/)**. Such setup could allow an attacker with administrative privileges for a Gardener project to craft malicious credential values in infrastructure Secret objects that break out of the intended string context when evaluated in Fish or PowerShell environments used by the Gardener service operators, leading to arbitrary command execution on the operator's device.

[CVE-2025-67508](https://www.cve.org/CVERecord?id=CVE-2025-67508) has been rated High [CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H](https://www.first.org/cvss/calculator/3-0#CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H) (Base score 8.0).

**Am I vulnerable?**
This CVE affects all Gardener operators who use  **gardenctl < v2.12.0** with non‑POSIX shells such as **[Fish](https://fishshell.com/)** and **[PowerShell](https://learn.microsoft.com/en-us/powershell/)**. 

**Affected Components**
- `gardener/gardenctl-v2`

**Affected Versions**
- < v2.12.0

**Fixed Versions**
-  \>= v2.12.0

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2025-67508: Vulnerability discovered in gardenctl versions < v2.12.0 #693

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

CVE-2025-67508: Vulnerability discovered in gardenctl versions < v2.12.0 #693

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions