CVE-2025-24514

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions ingress-nginx versions prior to v1.11.5 ingress-nginx versions from v1.12.0-beta.0 through v1.12.1

Description A security issue exists in ingress-nginx where the auth-url Ingress annotation can be exploited to inject configuration into nginx. Successful exploitation can lead to arbitrary code execution within the context of the ingress-nginx controller and potential disclosure of Secrets accessible to the controller. In a default installation, the controller has access to all Secrets within the cluster. The issue is due to insufficient input validation.

Recommendations Update to a version of ingress-nginx greater than or equal to v1.11.5. Update to a version of ingress-nginx greater than or equal to v1.12.1.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-15

Related Identifiers

BDU:2025-03220

BIT-NGINX-INGRESS-CONTROLLER-2025-24514

CVE-2025-24514

GHSA-FWWP-XCXW-39VQ

GO-2025-3566

OPENSUSE-SU-2025:14937-1

Affected Products

Red Os

Ingress-Nginx

CVE-2025-24514

Weakness Enumeration

Related Identifiers

Affected Products

References · 139