Описание
Kubernetes: Vulnerability in Kubernetes NGINX Ingress Controller
Ingress Controllers play a critical role within Kubernetes clusters by enabling the functionality of Ingress resources.
Azure Kubernetes Service (AKS) is aware of several security vulnerabilities affecting the Kubernetes ingress-nginx controller, including CVE-2025-1098, CVE-2025-1974, CVE-2025-1097, CVE-2025-24514, and CVE-2025-24513.
Customers running this controller on their AKS clusters are advised to update to the latest patched versions (v1.11.5 and v1.12.1) to mitigate potential risks.
FAQ
Why are we publishing this Kubernetes CVE in the Security Update Guide?
We are republishing these CVEs because on March 24, 2025, the Kubernetes SRC (Security Response Committee) published 5 CVEs that disclose vulnerabilities in the Kubernetes NGINX Ingress Controller. Some of these vulnerabilities might affect you if you have this component running in your Kubernetes cluster.
How do I know if I am affected by these vulnerabilities?
If you are running your own Kubernetes NGINX Ingress Controller, please review the CVEs and mitigate by updating to the latest patch versions (v1.11.5 and v1.12.1).
If you are using the Managed NGINX ingress with the application routing add-on on AKS, the patches are being rolled out to all regions and should be completed in a few days. No customer action is required.
The status of the AKS deployment can be monitored here: AKS Release Status.
Where can I find more information about these vulnerabilities?
Возможность эксплуатации
DOS
EPSS
Связанные уязвимости
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `mirror-target` and `mirror-host` Ingress annotations can be used to inject arbitrary configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `mirror-target` and `mirror-host` Ingress annotations can be used to inject arbitrary configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
ingress-nginx controller - configuration injection via unsanitized mirror annotations
Уязвимость контроллера входящего трафика в кластере Kubernetes ingress-nginx, связанная с ошибками при обработке аннотаций Ingress-объектов, позволяющая нарушителю выполнить произвольный код
EPSS