CVE-2025-1097
Published: 25 March 2025
Summary
CVE-2025-1097 is a high-severity Improper Input Validation (CWE-20) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Deeper analysis
The vulnerability CVE-2025-1097 is an input-validation flaw (CWE-20) in ingress-nginx, the Kubernetes community-maintained ingress controller. The auth-tls-match-cn Ingress annotation can be abused to inject arbitrary configuration directives into the generated nginx configuration, resulting in code execution inside the controller process and read access to Secrets visible to that controller.
An authenticated user able to create or modify Ingress resources can therefore achieve arbitrary code execution in the ingress-nginx controller and obtain any Secrets the controller is permitted to read; in the default cluster-wide installation this grants access to every Secret. The issue carries a CVSS 3.1 base score of 8.8.
Public exploit code has been published and the EPSS probability currently stands at 0.6535 after a recorded peak of 0.6686. Further details appear in the referenced Kubernetes issue, NetApp advisory, and Exploit-DB entry.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8034
Vulnerability details
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-cn` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible…
more
to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing ingress-nginx allows annotation-based config injection for RCE in controller pod, enabling exploitation of public-facing app (T1190), privilege escalation from low-priv Ingress access to cluster secrets/RCE (T1068), and arbitrary code execution (T1059).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the improper input validation (CWE-20) in the auth-tls-match-cn annotation by requiring validation of Ingress annotations before processing to prevent arbitrary nginx configuration injection.
Requires timely remediation of the identified flaw in ingress-nginx through patching, eliminating the vulnerability to arbitrary code execution.
Enforces least privilege on the ingress-nginx controller's service account to restrict cluster-wide Secret access and limits low-privileged users' ability to create or modify Ingress resources.