CVE-2025-59823: 
vulnerability analysis and mitigation

CVE-2025-59823 is a critical code injection vulnerability discovered in Project Gardener, which implements automated management and operation of Kubernetes clusters as a service. The vulnerability was disclosed on September 25, 2025, affecting multiple Gardener Extensions including AWS providers (prior to v1.64.0), Azure providers (prior to v1.55.0), OpenStack providers (prior to v1.49.0), and GCP providers (prior to v1.46.0). This vulnerability specifically impacts installations where Terraformer is used or can be enabled for infrastructure provisioning (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.0 base score of 9.9 (Critical) with the vector string CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. The vulnerability is classified as CWE-94 (Improper Control of Generation of Code - 'Code Injection'). The technical nature of the vulnerability involves possible code injection in Gardener Extensions when Terraformer is used for infrastructure provisioning (NVD).

The vulnerability could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster where the shoot cluster is managed. This represents a critical security breach as it affects the confidentiality, integrity, and availability of the system with high severity across all three aspects (GitHub Advisory).

The vulnerability has been patched in the following versions: AWS providers version 1.64.0, Azure providers version 1.55.0, OpenStack providers version 1.49.0, and GCP providers version 1.46.0. Organizations are strongly advised to upgrade to these or later versions to mitigate the vulnerability (NVD).