CVE-2025-1974-k8s: Ingress-Nginx Controller - Unauthenticated Remote Code Execution

日期: 2025-08-01 | 影响软件: Ingress Nginx Controller | POC: 已公开

漏洞描述

A security issue was discovered in ingress-nginx where the `auth-tls-match-cn` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller

PoC代码[已公开]

id: CVE-2025-1974-k8s

info:
  name: Ingress-Nginx Controller - Unauthenticated Remote Code Execution
  author: princechaddha
  severity: critical
  description: A security issue was discovered in ingress-nginx where the `auth-tls-match-cn` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller
  impact: |
    Vulnerable versions of Ingress-Nginx controller can be exploited to gain unauthorized access to all secrets across namespaces in the Kubernetes cluster, potentially leading to complete cluster takeover.
  remediation: |
    Update to one of the following versions: Version 1.12.1 or later / Version 1.11.5 or later
  reference:
    - https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities
    - https://projectdiscovery.io/blog/ingressnightmare-unauth-rce-in-ingress-nginx
  tags: cve,cve2025,cloud,devops,kubernetes,ingress,nginx,k8s,k8s-cluster-security

flow: |
  code(1);
  for (let pod of template.items) {
    set("pod", pod)
    javascript(1);
  }

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: kubectl get pods -n ingress-nginx -l app.kubernetes.io/component=controller -o json
    extractors:
      - type: json
        name: items
        internal: true
        json:
          - '.items[]'

javascript:
  - code: |
        let podData = JSON.parse(template.pod);

        const container = podData.spec.containers.find(c => c.name === 'controller');
        if (container && container.image) {
          const imageTag = container.image.split(':')[1];
          if (imageTag) {
            const version = imageTag.split('@')[0].replace(/^v/, '');
            const [major, minor, patch] = version.split('.').map(v => parseInt(v, 10));

            if ((major === 1 && minor === 11 && patch < 5) ||
                (major === 1 && minor === 12 && patch === 0) ||
                (major === 1 && minor < 11) ||
                (major === 1 && minor === 9 && patch <= 3)) {
              let result = (`Ingress-Nginx controller in namespace '${podData.metadata.namespace}' is running vulnerable version ${version}. Update to v1.12.1+ or v1.11.5+`);
              Export(result);
            }
          }
        }

    extractors:
      - type: dsl
        dsl:
          - response
# digest: 4a0a00473045022025ed151367a846d211bf074a1617a83ffb548d410c150328bf67f6ee18ac0b1802210096bcd92dbef5b968b615499daefd01e98fe26c6b6e56c6f431ec843c33379b67:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/cloud/kubernetes/cves/2025/CVE-2025-1974-k8s.yaml

相关漏洞推荐