CVE-2025-1098

CVE-2025-1098 is a vulnerability in the ingress-nginx controller for Kubernetes, hosted at https://github.com/kubernetes/ingress-nginx. The issue stems from the `mirror-target` and `mirror-host` Ingress annotations, which can be abused to inject arbitrary configuration into the underlying nginx process. This flaw enables arbitrary code execution in the context of the ingress-nginx controller and disclosure of Secrets accessible to it. In default installations, the controller has cluster-wide access to all Secrets.

The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating network accessibility, low attack complexity, and a requirement for low privileges such as the ability to create or modify Ingress resources. Exploitation requires no user interaction and maintains an unchanged scope. A successful attack allows an attacker to execute arbitrary code as the ingress-nginx controller process, potentially compromising the host, and to disclose sensitive Secrets across the Kubernetes cluster.

Advisories and related resources include a Kubernetes GitHub issue at https://github.com/kubernetes/kubernetes/issues/131008, a NetApp security advisory at https://security.netapp.com/advisory/ntap-20250328-0008/, and a proof-of-concept exploit published at https://www.exploit-db.com/exploits/52475. These references provide further details on the issue, associated products, and potential mitigations such as updating to patched versions of ingress-nginx.

A public proof-of-concept exploit underscores the vulnerability's practicality, highlighting the need for immediate patching in Kubernetes environments using ingress-nginx. The flaw is linked to CWE-20 (Improper Input Validation) and was published on 2025-03-25.