{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2025-012.pdf"
    },
    "title": "Critical Vulnerabilities in Kubernetes Ingress-NGINX",
    "serial_number": "2025-012",
    "publish_date": "25-03-2025 18:54:08",
    "description": "On March 24, 2025, Wiz Research disclosed a set of critical Remote Code Execution vulnerabilities in the Ingress-NGINX Controller for Kubernetes. The vulnerabilities CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, and CVE-2025-1974 can be exploited to gain full cluster access, resulting in a complete compromise of the environment.<br>\nThe vulnerabilities affect a widely used component in Kubernetes environments responsible for routing external traffic to internal services. Clusters with publicly exposed admission webhooks are at immediate risk.<br>\n",
    "url_title": "2025-012",
    "content_markdown": "---\ntitle: 'Critical\u00a0Vulnerabilities in\u00a0Kubernetes\u00a0Ingress-NGINX'\nnumber: '2025-012'\nversion: '1.0'\noriginal_date: '2025-03-24'\ndate: '2025-03-25'\n---\n\n_History:_\n\n* _25/03/2025 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn March 24, 2025, Wiz Research disclosed a set of critical Remote Code Execution vulnerabilities in the Ingress-NGINX Controller for Kubernetes. The vulnerabilities **CVE-2025-1097**, **CVE-2025-1098**, **CVE-2025-24514**, and **CVE-2025-1974** can be exploited to gain full cluster access, resulting in a complete compromise of the environment [1,2].\n\nThe vulnerabilities affect a widely used component in Kubernetes environments responsible for routing external traffic to internal services. Clusters with publicly exposed admission webhooks are at immediate risk.\n\n# Technical Details\n\nThe vulnerability **CVE-2025-1097**, with a CVSS score of 8.8, allows an unauthenticated remote attacker to inject configuration into nginx using the `auth-tls-match-cn` Ingress annotation. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)\n\nThe vulnerability **CVE-2025-1098**, with a CVSS score of 8.8, allows an unauthenticated remote attacker arbitrary configuration into nginx using the `mirror-target` and `mirror-host` Ingress annotations. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)\n\nThe vulnerability **CVE-2025-24514**, with a CVSS score of 8.8, allows an unauthenticated remote attacker to inject configuration into nginx using the `auth-url` Ingress annotation. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)\n\nThe vulnerability **CVE-2025-1974**, with a CVSS score of 9.8, is security issue in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)\n\nSuccessful exploitation of these vulnerabilities may allow attackers to:\n\n- Execute arbitrary code\n- Access all cluster secrets across namespaces\n- Take full control over the Kubernetes cluster\n\n# Affected Products\n\nThe following versions of the Ingress-NGINX Controller are affected:\n\n- all versions prior to v1.11.0;\n- versions prior to 1.12.1;\n- versions prior to 1.11.5.\n\n# Recommendations\n\nCERT-EU recommends updating to Ingress-NGINX Controller as soon as possible and ensuring the admission webhook endpoint is not exposed on the Internet, or any other untrusted source.\n\n## Workarounds\n\nIf upgrading immediately is not possible, the following actions are strongly advised:\n\n- Restrict network access to the admission controller to allow only connections from the Kubernetes API server.\n- Temporarily disable the admission controller component of Ingress-NGINX\n\n# References\n\n[1] <https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities>\n\n[2] <https://groups.google.com/g/kubernetes-security-announce/c/2qa9DFtN0cQ>",
    "content_html": "<p><em>History:</em></p><ul><li><em>25/03/2025 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On March 24, 2025, Wiz Research disclosed a set of critical Remote Code Execution vulnerabilities in the Ingress-NGINX Controller for Kubernetes. The vulnerabilities <strong>CVE-2025-1097</strong>, <strong>CVE-2025-1098</strong>, <strong>CVE-2025-24514</strong>, and <strong>CVE-2025-1974</strong> can be exploited to gain full cluster access, resulting in a complete compromise of the environment [1,2].</p><p>The vulnerabilities affect a widely used component in Kubernetes environments responsible for routing external traffic to internal services. Clusters with publicly exposed admission webhooks are at immediate risk.</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability <strong>CVE-2025-1097</strong>, with a CVSS score of 8.8, allows an unauthenticated remote attacker to inject configuration into nginx using the <code>auth-tls-match-cn</code> Ingress annotation. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)</p><p>The vulnerability <strong>CVE-2025-1098</strong>, with a CVSS score of 8.8, allows an unauthenticated remote attacker arbitrary configuration into nginx using the <code>mirror-target</code> and <code>mirror-host</code> Ingress annotations. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)</p><p>The vulnerability <strong>CVE-2025-24514</strong>, with a CVSS score of 8.8, allows an unauthenticated remote attacker to inject configuration into nginx using the <code>auth-url</code> Ingress annotation. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)</p><p>The vulnerability <strong>CVE-2025-1974</strong>, with a CVSS score of 9.8, is security issue in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)</p><p>Successful exploitation of these vulnerabilities may allow attackers to:</p><ul><li>Execute arbitrary code</li><li>Access all cluster secrets across namespaces</li><li>Take full control over the Kubernetes cluster</li></ul><h2 id=\"affected-products\">Affected Products</h2><p>The following versions of the Ingress-NGINX Controller are affected:</p><ul><li>all versions prior to v1.11.0;</li><li>versions prior to 1.12.1;</li><li>versions prior to 1.11.5.</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU recommends updating to Ingress-NGINX Controller as soon as possible and ensuring the admission webhook endpoint is not exposed on the Internet, or any other untrusted source.</p><h3 id=\"workarounds\">Workarounds</h3><p>If upgrading immediately is not possible, the following actions are strongly advised:</p><ul><li>Restrict network access to the admission controller to allow only connections from the Kubernetes API server.</li><li>Temporarily disable the admission controller component of Ingress-NGINX</li></ul><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities\">https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://groups.google.com/g/kubernetes-security-announce/c/2qa9DFtN0cQ\">https://groups.google.com/g/kubernetes-security-announce/c/2qa9DFtN0cQ</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}