CVE-2025-1097
📋 TL;DR
CVE-2025-1097 is a critical vulnerability in ingress-nginx where the auth-tls-match-cn annotation can be exploited to inject malicious configuration into nginx, potentially leading to arbitrary code execution and disclosure of Kubernetes Secrets. This affects all Kubernetes clusters using ingress-nginx with TLS client certificate authentication enabled. The controller's default cluster-wide Secret access makes this particularly dangerous.
💻 Affected Systems
- kubernetes/ingress-nginx
⚠️ Risk & Real-World Impact
Worst Case
Full cluster compromise: attacker gains code execution on ingress controller pod, accesses all cluster Secrets, pivots to other workloads, and potentially takes over the entire Kubernetes cluster.
Likely Case
Secret disclosure and limited code execution: attacker extracts sensitive credentials from Secrets, potentially compromising applications and services that rely on those credentials.
If Mitigated
Limited impact if proper network policies, RBAC restrictions, and namespace segregation prevent lateral movement and Secret access.
🎯 Exploit Status
Exploitation requires ability to create or modify Ingress resources with the vulnerable annotation. Public exploit code exists on Exploit-DB.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check latest ingress-nginx releases after March 2025
Vendor Advisory: https://github.com/kubernetes/ingress-nginx/security/advisories
Restart Required: Yes
Instructions:
1. Update ingress-nginx controller to patched version. 2. Delete and recreate controller pods to ensure new version is running. 3. Verify annotation validation is now enforced.
🔧 Temporary Workarounds
Disable vulnerable annotation
allRemove or restrict use of auth-tls-match-cn annotation in Ingress resources
kubectl get ingress --all-namespaces -o yaml | grep -i 'auth-tls-match-cn'
kubectl edit ingress <name> -n <namespace> # Remove the annotation
Restrict Ingress creation
allUse Kubernetes RBAC to limit who can create/modify Ingress resources
kubectl create role ingress-restricted --verb=get,list --resource=ingresses
kubectl create rolebinding restrict-ingress --role=ingress-restricted --user=<username>
🧯 If You Can't Patch
- Implement strict RBAC controls to prevent unauthorized Ingress modifications
- Deploy network policies to isolate ingress-nginx controller and limit Secret access
🔍 How to Verify
Check if Vulnerable:
Check if any Ingress resources use auth-tls-match-cn annotation: kubectl get ingress --all-namespaces -o jsonpath='{.items[*].metadata.annotations.auth-tls-match-cn}'Check Version:
kubectl describe pod -n ingress-nginx | grep ImageVerify Fix Applied:
Verify ingress-nginx controller version is patched and annotation validation rejects malicious values📡 Detection & Monitoring
Log Indicators:
- Unusual nginx configuration changes
- Unexpected Secret access attempts from ingress controller
- Malformed annotation values in Ingress resources
Network Indicators:
- Unexpected outbound connections from ingress controller pods
- Anomalous traffic patterns to Secret API endpoints
SIEM Query:
source="kubernetes" AND ("auth-tls-match-cn" OR "ingress-nginx" AND "annotation")