Ingress-Nginx Controller - Unauthenticated Remote Code Execution

ID: CVE-2025-1974-k8s

Severity: critical

Author: princechaddha

Tags: cve,cve2025,cloud,devops,kubernetes,ingress,nginx,k8s,k8s-cluster-security

Description

A security issue was discovered in ingress-nginx where the auth-tls-match-cn Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller

YAML Source

id: CVE-2025-1974-k8s

info:
  name: Ingress-Nginx Controller - Unauthenticated Remote Code Execution
  author: princechaddha
  severity: critical
  description: A security issue was discovered in ingress-nginx where the `auth-tls-match-cn` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller
  impact: |
    Vulnerable versions of Ingress-Nginx controller can be exploited to gain unauthorized access to all secrets across namespaces in the Kubernetes cluster, potentially leading to complete cluster takeover.
  remediation: |
    Update to one of the following versions: Version 1.12.1 or later / Version 1.11.5 or later
  reference:
    - https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities
    - https://projectdiscovery.io/blog/ingressnightmare-unauth-rce-in-ingress-nginx
  tags: cve,cve2025,cloud,devops,kubernetes,ingress,nginx,k8s,k8s-cluster-security

flow: |
  code(1);
  for (let pod of template.items) {
    set("pod", pod)
    javascript(1);
  }

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: kubectl get pods -n ingress-nginx -l app.kubernetes.io/component=controller -o json
    extractors:
      - type: json
        name: items
        internal: true
        json:
          - '.items[]'

javascript:
  - code: |
        let podData = JSON.parse(template.pod);

        const container = podData.spec.containers.find(c => c.name === 'controller');
        if (container && container.image) {
          const imageTag = container.image.split(':')[1];
          if (imageTag) {
            const version = imageTag.split('@')[0].replace(/^v/, '');
            const [major, minor, patch] = version.split('.').map(v => parseInt(v, 10));

            if ((major === 1 && minor === 11 && patch < 5) ||
                (major === 1 && minor === 12 && patch === 0) ||
                (major === 1 && minor < 11) ||
                (major === 1 && minor === 9 && patch <= 3)) {
              let result = (`Ingress-Nginx controller in namespace '${podData.metadata.namespace}' is running vulnerable version ${version}. Update to v1.12.1+ or v1.11.5+`);
              Export(result);
            }
          }
        }

    extractors:
      - type: dsl
        dsl:
          - response
# digest: 4a0a00473045022025ed151367a846d211bf074a1617a83ffb548d410c150328bf67f6ee18ac0b1802210096bcd92dbef5b968b615499daefd01e98fe26c6b6e56c6f431ec843c33379b67:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "cloud/kubernetes/cves/2025/CVE-2025-1974-k8s.yaml"

View on Github