A newly disclosed high-severity vulnerability (CVE-2025-24514) in Kubernetes’ ingress-nginx controller enables attackers to execute arbitrary code and access sensitive cluster secrets through annotation injection. Rated 8.8 on the CVSS scale, this configuration injection flaw affects default installations and could impact thousands of exposed clusters.
Technical Breakdown of the Vulnerability
The vulnerability stems from improper input validation (CWE-20) in the controller’s handling of the auth-url annotation. When processing Ingress objects, the system fails to properly sanitize input, allowing attackers to inject malicious NGINX configuration directives. During validation, these directives execute within the controller pod’s context, which typically has broad cluster-wide secret access in default configurations.
Researchers from Wiz discovered this as part of a broader set of vulnerabilities dubbed “IngressNightmare,” which includes five related CVEs that could be chained for complete cluster compromise. The specific injection occurs when the controller processes specially crafted AdmissionReview requests containing malicious annotations.
Exploitation Potential and Impact
Successful exploitation allows attackers to load arbitrary shared libraries through NGINX’s ssl_engine directive and maintain persistence via temporary file handling. The controller’s elevated privileges mean this vulnerability provides a direct path to cluster-wide secret access.
Industry estimates suggest approximately 41% of internet-facing Kubernetes clusters use ingress-nginx, with researchers identifying over 6,500 potentially vulnerable clusters. The combination of code execution capability and default wide-ranging permissions creates significant risk for privilege escalation and lateral movement within affected environments.
Detection and Remediation Guidance
Organizations can check for vulnerable deployments using the command:
kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginxImmediate remediation steps include:
- Upgrading to ingress-nginx controller versions 1.11.5 or 1.12.1
- Restricting network access to admission webhook endpoints
- Applying strict network policies for admission controllers
- Temporarily disabling admission controllers if patching isn’t immediately possible
For Helm installations, set controller.admissionWebhooks.enabled=false during remediation. Manual deployments should remove the ValidatingWebhookConfiguration named ingress-nginx-admission and the --validating-webhook argument from controller deployments.
Security Implications and Best Practices
This vulnerability highlights the critical risks of configuration injection in Kubernetes components and underscores the importance of rigorous input validation. As one of the most popular ingress controllers with over 18,000 GitHub stars, ingress-nginx’s widespread adoption makes this a particularly concerning attack vector.
Security teams should prioritize patching and review cluster configurations to limit admission controller exposure. The coordinated disclosure process between researchers and the Kubernetes Security Response Committee demonstrates the value of responsible vulnerability reporting in cloud-native ecosystems.
