CVE-2025-14727

High

Published: 17 December 2025

Published

17 December 2025

Modified

08 January 2026

KEV Added

—

Patch

—

CVSS Score 8.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

EPSS Score 0.0020 41.8th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability exists in NGINX Ingress Controller's nginx.org/rewrite-target annotation validation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely flaw remediation through patching the NGINX Ingress Controller directly eliminates the path traversal vulnerability in nginx.org/rewrite-target annotation validation.

SI-10 Information Input Validation good match

prevent

Information input validation ensures rewrite-target annotations are checked for path traversal sequences, preventing CWE-22 exploitation by low-privilege attackers.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Vulnerability scanning detects the presence of CVE-2025-14727 in NGINX Ingress Controller deployments, enabling identification prior to exploitation.

Security SummaryAI

CVE-2025-14727, published on 2025-12-17, is a vulnerability in the NGINX Ingress Controller's nginx.org/rewrite-target annotation validation, classified under CWE-22 (Path Traversal). It affects the NGINX Ingress Controller, with software versions that have reached End of Technical Support (EoTS) not evaluated. The vulnerability has a CVSS v3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L), indicating high severity due to network accessibility and impacts on confidentiality, integrity, and availability.

An attacker with low privileges (PR:L) can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation enables high confidentiality and integrity impacts, such as unauthorized access to sensitive data or modification of resources, alongside low availability disruption.

The F5 advisory at https://my.f5.com/manage/s/article/K000158176 provides details on mitigation, including patches and workarounds for affected NGINX Ingress Controller versions.

Details

CWE(s): CWE-22

Affected Products

nginx ingress controller

5.3.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Path traversal vulnerability (CWE-22) in NGINX Ingress Controller's public-facing annotation processing directly enables exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://my.f5.com/manage/s/article/K000158176
Vendor Advisory · f5sirt@f5.com