CVE-2025-1098

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions ingress-nginx versions prior to v1.11.5 ingress-nginx versions v1.12.0-beta.0 through v1.12.1

Description A security issue exists in ingress-nginx where the mirror-target and mirror-host Ingress annotations can be exploited to inject arbitrary configuration into nginx. Successful exploitation can lead to arbitrary code execution within the context of the ingress-nginx controller and potential disclosure of Secrets accessible to the controller. In a default installation, the controller has access to all Secrets cluster-wide. The issue stems from unsanitized mirror annotations.

Recommendations Upgrade to ingress-nginx version 1.11.5 or later. Upgrade to ingress-nginx version 1.12.1 or later.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-15CWE-20

Related Identifiers

BDU:2025-05133

BIT-NGINX-INGRESS-CONTROLLER-2025-1098

CVE-2025-1098

GHSA-VG63-W3P9-JC9M

GO-2025-3568

OPENSUSE-SU-2025:14937-1

Affected Products

Red Os

Ingress-Nginx

CVE-2025-1098

Weakness Enumeration

Related Identifiers

Affected Products

References · 128