Plattform
go
Komponente
github.com/gardener/gardener-extension-provider-aws
Behoben in
1.64.1
1.55.1
1.49.1
1.46.1
1.64.0
CVE-2025-59823 describes a critical code injection vulnerability discovered in the gardener.com/gardener-extension-provider-aws component. This flaw arises during infrastructure provisioning when utilizing Terraform, allowing attackers to inject malicious code. The vulnerability impacts versions before 1.64.0, and a patch has been released to address the issue.
The code injection vulnerability in gardener.com/gardener-extension-provider-aws poses a significant threat. An attacker who can influence the Terraform provisioning process can inject arbitrary code into the infrastructure being created. This could lead to complete system compromise, including unauthorized access to sensitive data, modification of system configurations, and the potential for lateral movement within the Gardener cluster. The impact is particularly severe because Terraform is often used for automated infrastructure deployment, making it a prime target for attackers seeking to gain control over the entire environment. Successful exploitation could allow an attacker to establish a persistent foothold and exfiltrate sensitive information.
While specific exploitation details remain limited, the CRITICAL CVSS score indicates a high likelihood of exploitation. The vulnerability's nature – code injection during infrastructure provisioning – makes it a potentially attractive target for attackers. Public proof-of-concept code is currently unavailable, but the potential for widespread impact warrants immediate attention. This CVE was published on 2025-10-23.
Organizations utilizing Gardener with the AWS extension provider for infrastructure provisioning are at risk. This includes teams heavily reliant on Terraform for automated deployments and those with less stringent input validation practices within their Terraform configurations. Shared hosting environments or deployments where Terraform state files are not adequately secured are particularly vulnerable.
• go / supply-chain:
find /opt/go/src/github.com/gardener/gardener-extension-provider-aws -name '*.go' -print0 | xargs -0 grep -i 'terraform.NewResource' • generic web:
curl -I https://<your-gardener-endpoint>/api/v1/extensionproviders/aws | grep -i 'server:'disclosure
Exploit-Status
EPSS
0.07% (20% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-59823 is to immediately upgrade to version 1.64.0 or later of gardener.com/gardener-extension-provider-aws. If an immediate upgrade is not feasible due to compatibility concerns or breaking changes, consider implementing stricter input validation and sanitization within your Terraform configurations to prevent malicious code from being injected. Review and audit all Terraform templates and scripts used for infrastructure provisioning. Additionally, restrict access to Terraform state files to prevent unauthorized modifications. After upgrading, verify the fix by attempting to trigger a Terraform provisioning process with a known malicious payload and confirming that it is properly sanitized and rejected.
Actualice las extensiones de Gardener para AWS a la versión 1.64.0, Azure a la versión 1.55.0, OpenStack a la versión 1.49.0 y GCP a la versión 1.46.0 o superior. Esto corrige la vulnerabilidad de inyección de código al usar Terraformer para el aprovisionamiento de infraestructura. Asegúrese de actualizar todas las extensiones afectadas en su entorno de Gardener.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-59823 is a critical code injection vulnerability affecting gardener.com/gardener-extension-provider-aws versions before 1.64.0. It allows attackers to inject malicious code during Terraform infrastructure provisioning, potentially leading to system compromise.
If you are using gardener.com/gardener-extension-provider-aws versions prior to 1.64.0 and utilize Terraform for infrastructure provisioning, you are potentially affected by this vulnerability.
Upgrade to version 1.64.0 or later of gardener.com/gardener-extension-provider-aws. If immediate upgrade is not possible, implement stricter input validation in your Terraform configurations.
While no active exploitation has been publicly confirmed, the CRITICAL severity and the nature of the vulnerability suggest a high likelihood of exploitation.
Refer to the official Gardener documentation and security advisories for the most up-to-date information regarding CVE-2025-59823: [https://docs.gardener.cloud/security/advisories/](https://docs.gardener.cloud/security/advisories/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.