CVE-2025-24513 - Security Issue Detected in Ingress-NGINX: Directory Traversal Vulnerability, Potential DoS, and Limited Secret Disclosure

A serious security vulnerability, associated with CVE-2025-24513, has been found in the ingress-nginx project (https://github.com/kubernetes/ingress-nginx). This vulnerability exists within the ingress-nginx Admission Controller's handling of attacker-supplied data, which is included in a filename, leading to directory traversal within the container. If exploited, this could lead to consequences ranging from denial of service (DoS) to limited disclosure of Secret objects from the Kubernetes cluster. In this post, we will discuss the details of the vulnerability, provide code snippets to illustrate the issue, and suggest possible countermeasures.

Vulnerability Details

The root cause of this vulnerability lies in the handling of user-supplied data by the ingress-nginx Admission Controller. This data, part of the request's annotation, is used to create a filename that is later used by the controller to create a new directory. However, no checks are performed to ensure that an attacker cannot manipulate the filename to carry out directory traversal attacks.

Here is a code snippet from the ingress-nginx project that demonstrates the issue

// Ingress-Nginx Admission Controller - Vulnerable Code Snippet
func (c *controller) handleIngress(obj interface{}) {
  ingress := obj.(*networking.Ingress)
  
  // Extracting user-supplied data from the incoming request
  // received from the Kubernetes API
  ingressAnnotation := ingress.Annotations["kubernetes.io/ingress.class"]
  
  if ingressAnnotation != "" {
    // Vulnerable code location
    // Attacker-supplied data is used to create a filename
    fileName := fmt.Sprintf("/tmp/%s", ingressAnnotation)

    // The filename is later used to create the directory, without any checks
    err := os.MkdirAll(fileName, 0755)
    if err != nil {
      klog.Errorf("Error creating directory: %v", err)
    }
  }
}

This code snippet shows how the Admission Controller takes the data from user-supplied annotations and creates a filename without any security checks. It is important to note that an attacker can potentially manipulate this input to include ".." within the filename, thereby traversing directories within the container.

Exploit Details

By exploiting this directory traversal vulnerability, an attacker may conduct a denial of service attack by overwriting crucial files, rendering the ingress-controller non-functional. In addition, by combining this vulnerability with other exploits, the attacker may gain access to sensitive information such as Secret objects stored in the Kubernetes cluster.

Mitigation

To address this issue, the ingress-nginx maintainers have released a patch that resolves the vulnerability. The patch enforces filename checks and replaces any instances of ".." with an underscore, essentially preventing directory traversal. Users are encouraged to update to the latest release, which incorporates the patch. (https://github.com/kubernetes/ingress-nginx/releases)

Another possible mitigation is to manually implement input validation in the ingress-controller, ensuring any user-supplied data is checked and sanitized before being used to create directories.

Conclusion

CVE-2025-24513 is a critical security vulnerability that affects the ingress-nginx project. The vulnerability could lead to attacks including denial of service and limited disclosure of Secret objects from the Kubernetes cluster. To minimize the risk, users should update to the latest, patched version of ingress-nginx and consider implementing input validation in their ingress-controller as an additional measure.

Timeline

Published on: 03/25/2025 00:15:14 UTC