CVE-2025-1097 - Exploiting Arbitrary Code Execution in ingress-nginx through 'auth-tls-match-cn' Annotation Injection

Overview

A recently disclosed vulnerability (CVE-2025-1097) has been identified in the popular Kubernetes Ingress plugin, ingress-nginx (https://github.com/kubernetes/ingress-nginx). Due to a severe security issue within the auth-tls-match-cn annotation, attackers can exploit ingress-nginx to execute arbitrary code in the context of the ingress-nginx controller. Furthermore, this vulnerability exposes Secrets accessible to the controller, which in default installations have access to all cluster-wide Secrets.

In this investigation, we will dive deep into the issue: analyzing its root causes, examining the affected component, and reviewing potential mitigations.

Exploit Details

The vulnerability roots from an insecure implementation of the auth-tls-match-cn annotation in ingress-nginx. Upon deployment, if an attacker supplies a malicious value to the auth-tls-match-cn annotation, it can manipulate the ingress-nginx controller's configuration and cause it to execute arbitrary code.

Here's a code snippet illustrating this injection

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: vulnerable-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
    nginx.ingress.kubernetes.io/auth-tls-match-cn: "'; malicious code here #"
spec:
  tls:
  - secretName: ingress-tls-secret
  rules:
  - host: example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: my-service
            port:
              number: 80

Using the snippet provided above, an attacker can replace malicious code here with any malicious code intended for execution. This, in turn, forces the ingress-nginx controller into an insecure state, allowing the attacker to execute arbitrary code in the controller's context and access Secrets.

For more information on this vulnerability, refer to the original issue report on GitHub

- Issue #7963 - Annotation auth-tls-match-cn injects a configuration file

To combat this vulnerability, users are advised to take the following steps

1. Upgrade ingress-nginx: Users should update their ingress-nginx installation to a patched version. Information on the relevant versions can be found in ingress-nginx's official release notes on GitHub:
- Patched Releases

2. Limit Secret Access: By default, the ingress-nginx controller has access to all Secrets across the cluster. To reduce the risks posed by this vulnerability, narrow the controller's Secret access using role-based access control (RBAC). More information on implementing RBAC can be found in the official Kubernetes documentation:
- Using RBAC Authorization

Conclusion

CVE-2025-1097 constitutes a significant security threat within the ingress-nginx project, allowing attackers to execute arbitrary code and gain access to Secrets. By understanding and mitigating the risks posed by this vulnerability, users can continue leveraging ingress-nginx with confidence that their clusters remain secure.

Timeline

Published on: 03/25/2025 00:15:13 UTC
Last modified on: 03/27/2025 16:45:46 UTC