9.9

CVSS Score

3.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-47284

CVE-2025-47284: Gardener allows metadata injection for a project secret which can lead to privilege escalation

A security vulnerability was discovered in the gardenlet component of Gardener. It could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster(s) where their shoot clusters are managed.

Am I Vulnerable?

This CVE affects all Gardener installations where https://github.com/gardener/gardener-extension-provider-gcp is in use.

Affected Components

gardener/gardener (gardenlet)

Affected Versions

< v1.116.4
< v1.117.5
< v1.118.2
< v1.119.0

Fixed Versions

>= v1.116.4
>= v1.117.5
>= v1.118.2
>= v1.119.0

How do I mitigate this vulnerability?

Update to a fixed version.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-47284

CVE-2025-47284:

9.9

CVSS Score

3.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/gardener/gardener	go	< 1.116.4	1.116.4
github.com/gardener/gardener	go	>= 1.117.0, < 1.117.5	1.117.5
github.com/gardener/gardener	go	>= 1.118.0, < 1.118.2	1.118.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description points to metadata injection in the gardenlet component. The provided commit 9134cf81550807afc37b15fda09f36ddb8db7c6f directly addresses this by changing how referenced resources, specifically their annotations and labels, are handled before being copied to a seed cluster. The function PrepareReferencedResourcesForSeedCopy in pkg/utils/gardener/resources.go was modified to strip all annotations and labels, whereas previously it only removed a specific annotation. This indicates that the prior behavior of this function allowed potentially malicious metadata (annotations and labels) to be propagated, leading to the vulnerability. Therefore, this function was involved in processing the input that could be crafted for exploitation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.9

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-47284: Gardener allows metadata injection for a project secret which can lead to privilege escalation

Am I Vulnerable?

Affected Components

Affected Versions

Fixed Versions

How do I mitigate this vulnerability?

CVE-2025-47284:

9.9

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

9.9

9.9

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-47284: Gardener allows metadata injection for a project secret which can lead to privilege escalation

Am I Vulnerable?

Affected Components

Affected Versions

Fixed Versions

How do I mitigate this vulnerability?

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI