CVE-2025-1098
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Tags
Description
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `mirror-target` and `mirror-host` Ingress annotations can be used to inject arbitrary configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
Analysis
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress annotations. Attackers can inject arbitrary NGINX configuration directives that lead to code execution in the ingress controller context, exposing cluster Secrets. This is a companion vulnerability to CVE-2025-1974 (IngressNightmare).
Technical Context
The mirror-target and mirror-host Ingress annotations are not properly sanitized before being inserted into the generated NGINX configuration. An attacker who can create or modify Ingress resources can inject arbitrary NGINX directives, including those that execute external programs or Lua code. This runs in the context of the ingress controller, which typically has broad Secret read access.
Affected Products
['ingress-nginx (Kubernetes)']
Remediation
Update ingress-nginx to the patched version. Implement annotation validation policies (e.g., Kyverno, OPA/Gatekeeper). Restrict Ingress creation RBAC to trusted namespaces. Monitor Ingress objects for suspicious annotations.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today