CVE-2025-1097

CVE-2025-1097 is a vulnerability in the ingress-nginx controller for Kubernetes, available at https://github.com/kubernetes/ingress-nginx. The flaw resides in the `auth-tls-match-cn` Ingress annotation, which allows attackers to inject arbitrary configuration into the underlying nginx process. This results in arbitrary code execution within the context of the ingress-nginx controller pod and disclosure of Kubernetes Secrets accessible to the controller. In default installations, the controller possesses cluster-wide read access to all Secrets. The issue is classified under CWE-20 (Improper Input Validation) with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An attacker with low privileges, such as the ability to create or modify Ingress resources in a Kubernetes namespace, can exploit this vulnerability over the network with low complexity and no user interaction. By crafting a malicious `auth-tls-match-cn` annotation in an Ingress object, the attacker injects nginx configuration that executes arbitrary code as the ingress-nginx controller. This grants high-impact access to confidential data like cluster-wide Secrets, enables integrity violations through code injection, and allows availability disruptions, all within the controller's scope.

Advisories and references provide guidance on mitigation. The Kubernetes issue tracker details the problem at https://github.com/kubernetes/kubernetes/issues/131007, NetApp issued a related advisory at https://security.netapp.com/advisory/ntap-20250328-0008/, and a proof-of-concept exploit is publicly available at https://www.exploit-db.com/exploits/52475. Security practitioners should review these sources for patch availability, version-specific fixes, and recommended workarounds like restricting Ingress annotations or controller permissions.

The public exploit on Exploit-DB indicates active interest and potential for real-world abuse targeting Kubernetes clusters using ingress-nginx.