Headline
GHSA-fw33-qpx7-rhx2: Vulnerability discovered in gardenctl versions < v2.12.0
A security vulnerability was discovered for gardenctl when it is used with non‑POSIX shells such as Fish and PowerShell. Such setup could allow an attacker with administrative privileges for a Gardener project to craft malicious credential values in infrastructure Secret objects that break out of the intended string context when evaluated in Fish or PowerShell environments used by the Gardener service operators, leading to arbitrary command execution on the operator’s device.
Am I vulnerable? This CVE affects all Gardener operators who use gardenctl < v2.12.0 with non‑POSIX shells such as Fish and PowerShell.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-67508
Vulnerability discovered in gardenctl versions < v2.12.0
Package
gomod github.com/gardener/gardenctl-v2 (Go)
Affected versions
< 0.0.0-20251107111549-0bdc484cb5fb
Patched versions
0.0.0-20251107111549-0bdc484cb5fb
A security vulnerability was discovered for gardenctl when it is used with non‑POSIX shells such as Fish and PowerShell. Such setup could allow an attacker with administrative privileges for a Gardener project to craft malicious credential values in infrastructure Secret objects that break out of the intended string context when evaluated in Fish or PowerShell environments used by the Gardener service operators, leading to arbitrary command execution on the operator’s device.
Am I vulnerable?
This CVE affects all Gardener operators who use gardenctl < v2.12.0 with non‑POSIX shells such as Fish and PowerShell.
References
- GHSA-fw33-qpx7-rhx2
Published to the GitHub Advisory Database
Dec 11, 2025