ingress-nginx: Configuration injection via auth-tls-match-cn (CVE-2025-1097) #shorts

Summary

Welcome to today's episode, where we delve into the recent discovery of CVE-2025-1097, a critical vulnerability affecting Kubernetes ingress-nginx controllers. This flaw allows threat actors to execute arbitrary code and potentially access sensitive information across the cluster. Stay tuned as we break down the key details of this vulnerability and discuss its potential impact.

Product details

CVE-2025-1097 affects the ingress-nginx component of Kubernetes. Specifically, this vulnerability impacts versions up to 1.11.4 and 1.12.0 of ingress-nginx, a widely used module facilitating the management of external access to Kubernetes services. As a component with access to cluster-wide Secrets by default, ingress-nginx is integral to many Kubernetes environments and consequently, the security of these installations.

Vulnerability type summary

This vulnerability is categorized under CWE-20, involving improper input validation. It allows the insertion of malicious configurations through the `auth-tls-match-cn` Ingress annotation, facilitating a vector for arbitrary code execution and unauthorized access within the system.

Details of the vulnerability

The core of CVE-2025-1097 lies in the misuse of the `auth-tls-match-cn` Ingress annotation. Attackers can exploit this to manipulate nginx configurations and perform privilege escalation. Given that the ingress-nginx controller, by default, has access to all Secrets within a cluster, this arbitrary code execution vulnerability poses a significant risk, potentially leading to the exposure of sensitive data stored across the Kubernetes environment.

Conclusion

In summary, CVE-2025-1097 underscores the critical need for vigilance and swift action in maintaining Kubernetes security. Security practitioners managing affected ingress-nginx versions should prioritize updating their systems to a patched version to mitigate potential exploits. Stay informed and proactive in defending against evolving vulnerabilities in your Kubernetes infrastructure. Thank you for tuning in, and join us next time as we continue to explore the ever-changing landscape of cybersecurity threats.

Watch the full video on YouTube: CVE-2025-1097

Remediation and exploitation details

This chain involves the following actors

This following systems are involved

Attack entry point

Remediation actions

Exploitation actions

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2025-1097
Description
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-cn` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
Provider
kubernetes
CWE / problem types
CWE-20 Improper Input Validation
Affected Software Versions
kubernetes:ingress-nginx:[{'lessThanOrEqual': '1.11.4', 'status': 'affected', 'version': '0', 'versionType': 'semver'}, {'status': 'affected', 'version': '1.12.0'}]
Date Published
2025-03-24T23:29:05.879Z
Last Updated
2025-03-27T03:55:13.954Z