CVE-2025-1974 Scanner

CVE-2025-1974 Scanner - Remote Code Execution vulnerability in Ingress-Nginx Controller

Short Info


Level

Critical

Single Scan

Single Scan

Can be used by

Asset Owner

Estimated Time

10 seconds

Time Interval

5 days 20 hours

Scan only one

Domain, Subdomain, IPv4

Toolbox

-

Ingress-Nginx Controller is an open-source Kubernetes component used for routing external HTTP and HTTPS traffic to services within a Kubernetes cluster. It serves as a reverse proxy and load balancer, commonly deployed by cloud-native developers and DevOps teams. The controller supports advanced configuration through annotations and is widely used in production environments. It plays a crucial role in managing secure, scalable, and performant access to internal services. The controller operates with elevated privileges and access to Kubernetes secrets, making its security paramount. Its configuration capabilities, while flexible, can pose serious risks if improperly validated or exposed.

The vulnerability allows remote attackers to execute arbitrary code within the context of the Ingress-Nginx controller using a specially crafted Ingress resource. This is possible due to improper validation of the `auth-tls-match-cn` annotation, which enables injection of malicious NGINX directives. Because the controller processes user-defined annotations as part of its configuration, attackers can leverage this path to load arbitrary modules. The flaw affects specific versions of the controller and requires no prior authentication or user interaction. It is critical due to the potential access it provides to all secrets and namespaces within the cluster. The vulnerability has been confirmed and addressed by the maintainers.

Technically, the attack relies on submitting a POST request that mimics an Ingress resource creation via the Kubernetes AdmissionReview API. The malicious annotation injected in the metadata, such as `auth-url`, contains payloads like `#;load_module test;\n` which are interpreted as valid NGINX directives. If the controller applies these annotations directly into the configuration without proper sanitization, the injected directive is executed. The matchers validate the response body for strings like `directive is not allowed here` and `load_module` to confirm that the controller attempted to process the injected configuration. The detection confirms the vulnerable behavior by observing the response pattern to the simulated attack.

If exploited, the vulnerability may allow complete control over the ingress controller, including reading Kubernetes Secrets across all namespaces. This could result in full Kubernetes cluster compromise, enabling attackers to deploy backdoors, steal data, or take over running workloads. The risk is especially high in multi-tenant clusters or when the ingress controller has access to sensitive APIs and infrastructure components. It poses both integrity and confidentiality threats to cloud environments. Timely remediation is critical to prevent lateral movement or persistence within Kubernetes clusters.

REFERENCES

Get started to protecting your Free Full Security Scan