CVE-2025-47283: 
vulnerability analysis and mitigation

Gardener, a service for automated management and operation of Kubernetes clusters, disclosed a critical security vulnerability (CVE-2025-47283) on May 19, 2025. The vulnerability affects versions prior to 1.116.4, 1.117.5, 1.118.2, and 1.119.0, where users with administrative privileges for a Gardener project could potentially gain unauthorized control over seed clusters managing their shoot clusters. This vulnerability impacts all Gardener installations regardless of the public cloud provider used for seed clusters/shoot clusters (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.0 base score of 9.9 (Critical) with the following vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. The affected component is gardener/gardener (gardenlet). The vulnerability is characterized by improper input validation (CWE-20) and allows privilege escalation through bypassing project secret validation (GitHub Advisory).

The vulnerability enables users with administrative privileges for a Gardener project to gain unauthorized control over the seed cluster(s) where their shoot clusters are managed. This represents a significant security breach as it affects all Gardener installations regardless of the cloud provider, potentially compromising the entire cluster management infrastructure (GitHub Advisory).

The vulnerability has been patched in versions 1.116.4, 1.117.5, 1.118.2, and 1.119.0. Users are strongly advised to upgrade to these fixed versions to mitigate the security risk (GitHub Advisory).