CVE-2025-67508
Credential Injection in gardenctl ≤2.11.0 Affects Shell Environments
Publication date: 2025-12-12
Last updated on: 2026-03-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linuxfoundation | gardenctl | to 2.12.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to execute arbitrary commands by crafting malicious credential values, leading to high impacts on confidentiality, integrity, and availability of data. Such impacts can result in unauthorized access to sensitive information and disruption of services, which may cause non-compliance with standards like GDPR and HIPAA that require protection of personal and sensitive data. Therefore, organizations using vulnerable versions of gardenctl may face compliance risks if this vulnerability is exploited. [1]
Can you explain this vulnerability to me?
This vulnerability exists in gardenctl versions 2.11.0 and below when used with non-POSIX shells like Fish and PowerShell. An attacker with administrative privileges for a Gardener project can craft malicious credential values that are stored in infrastructure Secret objects. These forged credentials can break out of their intended string context when evaluated in Fish or PowerShell environments used by Gardener service operators, potentially leading to unintended command execution or other harmful effects. The issue is fixed in version 2.12.0.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker with administrative privileges to execute malicious code or commands in the Fish or PowerShell environments of Gardener service operators by injecting crafted credential values. This can lead to compromise of the infrastructure, unauthorized access, and potentially full control over affected systems.
What immediate steps should I take to mitigate this vulnerability?
Upgrade gardenctl to version 2.12.0 or later, as this version contains the fix for the vulnerability. Additionally, avoid using non-POSIX shells such as Fish and PowerShell with vulnerable versions until the upgrade is applied.