CVE-2025-24514

CVE-2025-24514 is a vulnerability in the ingress-nginx controller, hosted at https://github.com/kubernetes/ingress-nginx, where the `auth-url` Ingress annotation enables attackers to inject arbitrary configuration into the underlying nginx process. This flaw, classified under CWE-20 (Improper Input Validation) with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), was published on 2025-03-25 and can result in arbitrary code execution within the context of the ingress-nginx controller pod, as well as unauthorized disclosure of Kubernetes Secrets accessible to the controller, which by default includes all Secrets cluster-wide.

An attacker with low privileges, such as the ability to create or modify Ingress resources in a Kubernetes cluster (PR:L per CVSS), can exploit this over the network with low complexity and no user interaction required. Successful exploitation grants remote code execution as the ingress-nginx controller, potentially allowing full compromise of the controller pod, extraction of sensitive Secrets, and further lateral movement within the cluster depending on the controller's permissions.

Mitigation guidance and patches are referenced in key advisories, including the Kubernetes GitHub issue at https://github.com/kubernetes/kubernetes/issues/131006 and NetApp advisory ntap-20250328-0008 at https://security.netapp.com/advisory/ntap-20250328-0008/. A public proof-of-concept exploit is available at https://www.exploit-db.com/exploits/52475, indicating active interest from the security research community.