CVE-2025-24514
Published: 25 March 2025
Summary
CVE-2025-24514 is a high-severity Improper Input Validation (CWE-20) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 2.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A security issue was discovered in ingress-nginx where the auth-url Ingress annotation can be used to inject configuration into nginx. This affects the ingress-nginx controller component in Kubernetes environments and can lead to arbitrary code execution in the context of the controller along with disclosure of Secrets accessible to it. In default installations the controller can access all Secrets cluster-wide. The flaw is tracked as CVE-2025-24514 with a CVSS score of 8.8 and is classified under CWE-20.
An attacker with permission to create or modify Ingress resources can supply a malicious auth-url annotation to trigger configuration injection. Successful exploitation grants code execution inside the ingress-nginx controller pod and read access to any Secrets the controller can reach, enabling broad cluster credential theft or further lateral movement.
Public references include a Kubernetes GitHub issue, a NetApp security advisory, and an Exploit-DB entry describing a working proof-of-concept. These sources point to the need for updated ingress-nginx versions or configuration hardening, though specific patch instructions are not detailed in the provided references.
The EPSS score currently stands at 0.4748 after reaching a peak of 0.5158, indicating sustained moderate-to-high exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8031
Vulnerability details
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible…
more
to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables privilege escalation via RCE in ingress-nginx pod (T1068, T1059.004) and Kubernetes Secrets disclosure (T1552.001) through auth-url annotation injection.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses CWE-20 improper input validation by requiring validation of untrusted inputs like the auth-url Ingress annotation to prevent configuration injection and RCE.
Mandates timely flaw remediation, including patching the ingress-nginx controller vulnerability referenced in advisories to eliminate the config injection flaw.
Enforces least privilege to restrict creation or modification of Ingress resources, raising the privilege bar needed for PR:L exploitation.