CVE-2025-59823 — Gardener provider extensions vulnerable to code injection when Terraform is used

Description

Gardener provider extensions vulnerable to code injection when Terraform is used for infrastructure provisioning in github.com/gardener/gardener-extension-provider-aws

How to fix CVE-2025-59823

To remediate CVE-2025-59823, upgrade the affected package to a fixed version below.

—upgrade to 1.64.0 or later
—upgrade to 1.64.0 or later
—upgrade to 1.55.0 or later
—upgrade to 1.55.0 or later
—upgrade to 1.46.0 or later
—upgrade to 1.46.0 or later
—upgrade to 1.49.0 or later
—upgrade to 1.49.0 or later

Is CVE-2025-59823 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (8)

from 0, < 1.64.0
from 0, < 1.64.0
from 0, < 1.55.0
from 0, < 1.55.0
from 0, < 1.46.0
from 0, < 1.46.0
from 0, < 1.49.0
from 0, < 1.49.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.9	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References (12)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-59823
PATCHgithub.com/gardener/gardener-extension-provider-aws
WEBgithub.com/gardener/gardener-extension-provider-aws/commit/cb5045fc146248296994804bbfe27bd896938bf2
WEBgithub.com/gardener/gardener-extension-provider-aws/releases/tag/v1.64.0