CVE-2025-1098
Published: 25 March 2025
Summary
CVE-2025-1098 is a high-severity Improper Input Validation (CWE-20) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-1098 is an input validation flaw (CWE-20) in ingress-nginx that permits the mirror-target and mirror-host Ingress annotations to inject arbitrary nginx configuration directives. The affected component is the ingress-nginx controller running in Kubernetes clusters; successful injection executes code in the controller process and exposes any Secrets the controller can read, which by default includes all Secrets cluster-wide.
An authenticated user able to create or update Ingress objects can therefore achieve remote code execution inside the controller and obtain arbitrary secret material without needing elevated cluster privileges beyond standard Ingress management rights.
Public references consist of a Kubernetes GitHub issue, a NetApp security advisory, and an Exploit-DB entry that document the problem and point to remediation steps, though specific patch versions or configuration work-arounds are not detailed in the supplied references.
The EPSS probability rose materially from a low baseline to a peak of 0.6618 on 2026-02-03 before receding to the current value of 0.3418, indicating that exploitation interest increased after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8033
Vulnerability details
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `mirror-target` and `mirror-host` Ingress annotations can be used to inject arbitrary configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure…
more
of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables exploitation of public-facing ingress-nginx for RCE (Unix shell) and privilege escalation from low-priv Ingress modification to controller code exec with secret access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the improper input validation flaw in ingress-nginx by requiring timely identification, reporting, and patching of the vulnerability to prevent arbitrary nginx configuration injection.
Enforces least privilege to restrict low-privileged users or service accounts from creating or modifying Ingress resources, blocking the injection of malicious mirror-target and mirror-host annotations.
Mandates validation of information inputs such as Ingress annotations to mitigate improper validation that enables arbitrary configuration injection into the nginx process.