CVE-2025-1098
Published: 25 March 2025
Summary
CVE-2025-1098 is a high-severity Improper Input Validation (CWE-20) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the improper input validation flaw in ingress-nginx by requiring timely identification, reporting, and patching of the vulnerability to prevent arbitrary nginx configuration injection.
Enforces least privilege to restrict low-privileged users or service accounts from creating or modifying Ingress resources, blocking the injection of malicious mirror-target and mirror-host annotations.
Mandates validation of information inputs such as Ingress annotations to mitigate improper validation that enables arbitrary configuration injection into the nginx process.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables exploitation of public-facing ingress-nginx for RCE (Unix shell) and privilege escalation from low-priv Ingress modification to controller code exec with secret access.
NVD Description
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `mirror-target` and `mirror-host` Ingress annotations can be used to inject arbitrary configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure…
more
of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
Deeper analysisAI
CVE-2025-1098 is a vulnerability in the ingress-nginx controller for Kubernetes, hosted at https://github.com/kubernetes/ingress-nginx. The issue stems from the `mirror-target` and `mirror-host` Ingress annotations, which can be abused to inject arbitrary configuration into the underlying nginx process. This flaw enables arbitrary code execution in the context of the ingress-nginx controller and disclosure of Secrets accessible to it. In default installations, the controller has cluster-wide access to all Secrets.
The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating network accessibility, low attack complexity, and a requirement for low privileges such as the ability to create or modify Ingress resources. Exploitation requires no user interaction and maintains an unchanged scope. A successful attack allows an attacker to execute arbitrary code as the ingress-nginx controller process, potentially compromising the host, and to disclose sensitive Secrets across the Kubernetes cluster.
Advisories and related resources include a Kubernetes GitHub issue at https://github.com/kubernetes/kubernetes/issues/131008, a NetApp security advisory at https://security.netapp.com/advisory/ntap-20250328-0008/, and a proof-of-concept exploit published at https://www.exploit-db.com/exploits/52475. These references provide further details on the issue, associated products, and potential mitigations such as updating to patched versions of ingress-nginx.
A public proof-of-concept exploit underscores the vulnerability's practicality, highlighting the need for immediate patching in Kubernetes environments using ingress-nginx. The flaw is linked to CWE-20 (Improper Input Validation) and was published on 2025-03-25.
Details
- CWE(s)