CVE-2025-47282: 
vulnerability analysis and mitigation

A critical security vulnerability (CVE-2025-47282) was discovered in Gardener's External DNS Management prior to version 0.23.6. The vulnerability affects all Gardener installations regardless of the public cloud provider(s) used for the seed clusters/shoot clusters. The affected component is gardener/external-dns-management, which may also be deployed on the seeds by the gardener/gardener-extension-shoot-dns-service extension when enabled. For installations using the shoot-dns-service extension, all versions <= v1.60.0 are affected by this vulnerability (GitHub Advisory, NVD).

The vulnerability has been assigned a CVSS v3.0 base score of 9.9 (Critical) with the vector string CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. The vulnerability is classified as CWE-20 (Improper Input Validation). The technical assessment indicates network attack vector, low attack complexity, low privileges required, and no user interaction needed for exploitation (GitHub Advisory, Wiz).

The vulnerability could allow a user with administrative privileges for a Gardener project or a user with administrative privileges for a shoot cluster (including administrative privileges for a single namespace of the shoot cluster) to obtain control over the seed cluster where the shoot cluster is managed (GitHub Advisory).

The vulnerability has been fixed in version 0.23.6 of Gardener External DNS Management. Users are advised to update to this version or later to mitigate the vulnerability. For users of the gardener-extension-shoot-dns-service, updating beyond version v1.60.0 is required (GitHub Advisory).