What is the CVSS score of CVE-2025-1098?

CVE-2025-1098 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 49.9%.

Which versions of Kubernetes are affected by CVE-2025-1098?

Organizations using A security face significant risk from CVE-2025-1098, a input validation vulnerability rated CVSS 8.8.. A patch is available.

Is there a public PoC exploit available for CVE-2025-1098?

Yes, a public proof-of-concept exploit is available for CVE-2025-1098. Prioritise patching immediately. EPSS: 49.9%.

How to fix or mitigate CVE-2025-1098?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Monitor vendor channels for patch availability.

Kubernetes CVE-2025-1098

HIGH

Improper Input Validation (CWE-20)

2025-03-25 jordan@liggitt.net

RCE Kubernetes Nginx Red Hat Suse

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 28, 2026 - 18:33 vuln.today

PoC Detected

Feb 04, 2026 - 20:16 vuln.today

Public exploit code

CVE Published

Mar 25, 2025 - 00:15 nvd

HIGH 8.8

DescriptionNVD

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the mirror-target and mirror-host Ingress annotations can be used to inject arbitrary configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

AnalysisAI

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress annotations. Attackers can inject arbitrary NGINX configuration directives that lead to code execution in the ingress controller context, exposing cluster Secrets. This is a companion vulnerability to CVE-2025-1974 (IngressNightmare).

Technical ContextAI

The mirror-target and mirror-host Ingress annotations are not properly sanitized before being inserted into the generated NGINX configuration. An attacker who can create or modify Ingress resources can inject arbitrary NGINX directives, including those that execute external programs or Lua code. This runs in the context of the ingress controller, which typically has broad Secret read access.

Affected ProductsAI

ingress-nginx (Kubernetes)

RemediationAI

Update ingress-nginx to the patched version. Implement annotation validation policies (e.g., Kyverno, OPA/Gatekeeper). Restrict Ingress creation RBAC to trusted namespaces. Monitor Ingress objects for suspicious annotations.