RCE in Gardener Gardenctl-v2
CVE-2025-67508
gardenctl is a command-line client for the Gardener which configures access to clusters and cloud provider CLI tools. When using non‑POSIX shells such as Fish and PowerShell, versions 2.11.0 and below of gardenctl allow an attacker with ad…
Vulnerability class: Command Injection (OS Command Injection)
EPSS: 0.002 (10.5th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 8.4 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H.
Affected products
- Gardener Gardenctl-v2 — versions < 2.12.0
- Linuxfoundation Gardenctl
Weakness classification (CWE)
References
- security-advisories@github.com (x_refsource_CONFIRM, Vendor Advisory)
Frequently asked questions
- What is CVE-2025-67508?
- CVE-2025-67508 is a high-severity vulnerability in Gardener Gardenctl-v2, classified under Command Injection. CVSS score: 8.4/10. Published 2025-12-12.
- How severe is CVE-2025-67508?
- High severity. CVSS v3 base score is 8.4 out of 10.