CVE-2025-67508: gardenctl is vulnerable to Command Injection when used with non‑POSIX shells

December 11, 2025 (updated December 12, 2025)

A security vulnerability was discovered for gardenctl when it is used with non‑POSIX shells such as Fish and PowerShell. Such setup could allow an attacker with administrative privileges for a Gardener project to craft malicious credential values in infrastructure Secret objects that break out of the intended string context when evaluated in Fish or PowerShell environments used by the Gardener service operators, leading to arbitrary command execution on the operator’s device.

Am I vulnerable? This CVE affects all Gardener operators who use gardenctl < v2.12.0 with non‑POSIX shells such as Fish and PowerShell.

References

Code Behaviors & Features

Detect and mitigate CVE-2025-67508 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →