CVE-2025-24514
📋 TL;DR
This vulnerability allows attackers to inject malicious configuration into ingress-nginx via the auth-url annotation, leading to arbitrary code execution within the controller pod. It affects all Kubernetes clusters using ingress-nginx with the vulnerable annotation. Attackers can access all cluster-wide Secrets in default installations.
💻 Affected Systems
- ingress-nginx
⚠️ Risk & Real-World Impact
Worst Case
Full cluster compromise: attacker gains control of ingress-nginx controller, accesses all cluster Secrets, deploys malicious workloads, and pivots to other cluster components.
Likely Case
Data exfiltration and lateral movement: attacker steals sensitive Secrets (database credentials, API keys, certificates) and uses them to access backend services.
If Mitigated
Limited impact to isolated namespace if RBAC restricts controller's Secret access and network policies limit egress.
🎯 Exploit Status
Exploit requires ability to create or modify Ingress resources with the auth-url annotation. Public exploit code exists on Exploit-DB.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check latest ingress-nginx releases for fix
Vendor Advisory: https://github.com/kubernetes/ingress-nginx/security/advisories
Restart Required: Yes
Instructions:
1. Update ingress-nginx controller to patched version. 2. Delete and recreate controller pods. 3. Verify no ingresses use malicious auth-url values.
🔧 Temporary Workarounds
Restrict auth-url annotation usage
allUse Kubernetes admission controllers or OPA/Gatekeeper to block or validate auth-url annotations
kubectl get ingress --all-namespaces -o json | jq '.items[] | select(.metadata.annotations["nginx.ingress.kubernetes.io/auth-url"]) | .metadata.name'
Limit controller Secret access
allModify RBAC to restrict controller's Secret access to specific namespaces
kubectl edit clusterrole ingress-nginx
kubectl edit clusterrolebinding ingress-nginx
🧯 If You Can't Patch
- Audit all Ingress resources for auth-url annotations and remove suspicious ones
- Implement network policies to restrict ingress-nginx pod egress and monitor for unusual outbound connections
🔍 How to Verify
Check if Vulnerable:
Check if any Ingress resources use auth-url annotation: kubectl get ingress --all-namespaces -o jsonpath='{.items[*].metadata.annotations.nginx\.ingress\.kubernetes\.io/auth-url}'Check Version:
kubectl describe pod -n ingress-nginx | grep ImageVerify Fix Applied:
Verify controller version is patched and no malicious auth-url values exist📡 Detection & Monitoring
Log Indicators:
- Unusual nginx configuration errors
- Unexpected subrequest patterns in auth-url
- Controller pod executing unexpected commands
Network Indicators:
- Ingress controller making unexpected outbound connections
- Unusual traffic patterns from controller pod
SIEM Query:
kubernetes.pod.name:"ingress-nginx" AND (process.name:"sh" OR process.name:"bash" OR process.name:"curl" OR process.name:"wget")