CVE-2025-47284: 
vulnerability analysis and mitigation

A critical security vulnerability (CVE-2025-47284) was discovered in the gardenlet component of Gardener, which implements automated management and operation of Kubernetes clusters as a service. The vulnerability was disclosed on May 19, 2025, affecting versions prior to 1.116.4, 1.117.5, 1.118.2, and 1.119.0. This vulnerability specifically impacts Gardener installations where gardener/gardener-extension-provider-gcp is in use (GitHub Advisory, NVD).

The vulnerability has been assigned a CVSS v3.0 base score of 9.9 (Critical) with the following vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. The issue is classified under CWE-150 (Improper Neutralization of Escape, Meta, or Control Sequences). The vulnerability exists in the gardenlet component, which is responsible for managing Kubernetes clusters (Wiz).

The vulnerability could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster(s) where their shoot clusters are managed. This represents a significant security risk as it enables privilege escalation and potential unauthorized access to cluster resources (GitHub Advisory, Wiz).

The vulnerability has been fixed in versions 1.116.4, 1.117.5, 1.118.2, and 1.119.0. Users are strongly advised to update to these patched versions to mitigate the security risk (Wiz).