CVE-2025-24514 - Critical Security Vulnerability in ingress-nginx Allows for Arbitrary Code Execution and Secret Disclosure

A critical security vulnerability (CVE-2025-24514) has been discovered in the popular ingress-nginx project (https://github.com/kubernetes/ingress-nginx). This vulnerability allows attackers to exploit the auth-url Ingress annotation and inject configuration into the nginx server running within the ingress-nginx controller. As a result, the attacker can execute arbitrary code in the context of the ingress-nginx controller and potentially gain access to Secrets stored within the Kubernetes cluster.

Exploit Details

The vulnerability lies in the improper handling of the auth-url Ingress annotation which is used to enable external authentication. When processing this annotation, the ingress-nginx controller does not properly sanitize the URL provided, allowing the injection of a malicious nginx configuration snippet. As part of this exploit, an attacker can craft an authenticated request to the ingress-nginx-controller containing their specially crafted configuration.

Here is a code snippet that demonstrates how an attacker could create a malicious ingress resource

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: my-ingress
  annotations:
    nginx.ingress.kubernetes.io/auth-url: "http://auth-service.default.svc.cluster.local/validate/auth; include /etc/passwd;"
spec:
  rules:
  - host: my-example.com
    http:
      paths:
      - path: /
        backend:
          serviceName: my-service
          servicePort: 80

In this example, the auth-url annotation is set to a URL containing the malicious nginx configuration snippet ; include /etc/passwd;. When processing this Ingress object, the ingress-nginx controller will include the attacker's malicious configuration line into the nginx server, which in turn will disclose the contents of the /etc/passwd file when a request is made to the auth-url.

Original References

For more information about this vulnerability and ongoing mitigation efforts, please refer to the following sources:
- https://github.com/kubernetes/ingress-nginx
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24514

Impact

The impact of this vulnerability is significant for users of ingress-nginx. A successful exploitation could allow an attacker to execute arbitrary code, giving them the ability to elevate their privileges within the Kubernetes cluster and potentially gaining access to highly sensitive Secrets. In the default installation of ingress-nginx, the controller can access all Secrets within the cluster, making this vulnerability all the more dangerous.

Mitigation and Remediation

Users of ingress-nginx should immediately apply any available patches, verify their existing ingress resources for any unexpected configurations, and follow best practices in securing their Kubernetes clusters and Secrets. It is also essential to impose restrictions on who can create and modify Ingress objects within the cluster and continuously monitor for any suspicious activities.

Conclusion

CVE-2025-24514 is a major security vulnerability in the ingress-nginx project that exposes users to various risks, such as arbitrary code execution and disclosure of sensitive information. It is critical that users update their ingress-nginx installations to the latest versions and follow best practices to protect their Kubernetes clusters. Security professionals need to be vigilant in identifying and mitigating such vulnerabilities to ensure the continued safety and integrity of their systems.

Timeline

Published on: 03/25/2025 00:15:15 UTC
Last modified on: 03/27/2025 16:45:46 UTC