CVE-2025-67508
Unknown Unknown - Not Provided
Credential Injection in gardenctl ≤2.11.0 Affects Shell Environments

Publication date: 2025-12-12

Last updated on: 2026-03-17

Assigner: GitHub, Inc.

Description
gardenctl is a command-line client for the Gardener which configures access to clusters and cloud provider CLI tools. When using non‑POSIX shells such as Fish and PowerShell, versions 2.11.0 and below of gardenctl allow an attacker with administrative privileges for a Gardener project to craft malicious credential values. The forged credential values are used in infrastructure Secret objects that break out of the intended string context when evaluated in Fish or PowerShell environments used by the Gardener service operators. This issue is fixed in version 2.12.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-12
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2025-12-12
EPSS Evaluated
2026-06-15
NVD
CVE-2025-67508
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linuxfoundation gardenctl to 2.12.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in gardenctl versions 2.11.0 and below when used with non-POSIX shells like Fish and PowerShell. An attacker with administrative privileges for a Gardener project can craft malicious credential values that are stored in infrastructure Secret objects. These forged credentials can break out of their intended string context when evaluated in Fish or PowerShell environments used by Gardener service operators, potentially leading to unintended command execution or other harmful effects. The issue is fixed in version 2.12.0.

Impact Analysis

If exploited, this vulnerability can allow an attacker with administrative privileges to execute malicious code or commands in the Fish or PowerShell environments of Gardener service operators by injecting crafted credential values. This can lead to compromise of the infrastructure, unauthorized access, and potentially full control over affected systems.

Mitigation Strategies

Upgrade gardenctl to version 2.12.0 or later, as this version contains the fix for the vulnerability. Additionally, avoid using non-POSIX shells such as Fish and PowerShell with vulnerable versions until the upgrade is applied.

Compliance Impact

The vulnerability allows attackers to execute arbitrary commands by crafting malicious credential values, leading to high impacts on confidentiality, integrity, and availability of data. Such impacts can result in unauthorized access to sensitive information and disruption of services, which may cause non-compliance with standards like GDPR and HIPAA that require protection of personal and sensitive data. Therefore, organizations using vulnerable versions of gardenctl may face compliance risks if this vulnerability is exploited. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67508. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart