CVE-2025-15566
📋 TL;DR
This CVE allows attackers to inject malicious configuration into ingress-nginx via the auth-proxy-set-headers annotation, potentially leading to arbitrary code execution and disclosure of Kubernetes Secrets. All Kubernetes clusters using ingress-nginx with this annotation are affected. The controller typically has cluster-wide Secret access by default.
💻 Affected Systems
- ingress-nginx
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full cluster compromise with attacker gaining control of ingress-nginx controller, accessing all cluster Secrets, and executing arbitrary code across the cluster.
Likely Case
Unauthorized access to sensitive Secrets and potential lateral movement within the cluster through the compromised controller.
If Mitigated
Limited impact if proper RBAC restrictions prevent annotation modification and controller has minimal permissions.
🎯 Exploit Status
Requires authenticated access to create/modify Ingress resources. Exploitation involves crafting malicious annotation values.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check latest ingress-nginx releases for fix
Vendor Advisory: https://github.com/kubernetes/kubernetes/issues/136789
Restart Required: Yes
Instructions:
1. Update ingress-nginx to patched version. 2. Restart ingress-nginx controller pods. 3. Verify annotation validation is working.
🔧 Temporary Workarounds
Restrict Ingress Creation
allUse RBAC to limit who can create/modify Ingress resources with annotations
kubectl create role ingress-creator --verb=create,update --resource=ingresses --namespace=your-namespace
kubectl create rolebinding bind-ingress-creator --role=ingress-creator --user=trusted-user --namespace=your-namespace
Remove Controller Secret Access
allLimit controller's RBAC permissions to only necessary Secrets
kubectl edit clusterrole ingress-nginx
Modify rules to restrict secret access to specific namespaces
🧯 If You Can't Patch
- Implement strict RBAC controls to prevent unauthorized Ingress modifications
- Use admission controllers like OPA Gatekeeper to validate Ingress annotations
🔍 How to Verify
Check if Vulnerable:
Check if you're using ingress-nginx and have Ingress resources with auth-proxy-set-headers annotationCheck Version:
kubectl describe deployment ingress-nginx-controller -n ingress-nginx | grep ImageVerify Fix Applied:
Attempt to create Ingress with malicious annotation - should be rejected📡 Detection & Monitoring
Log Indicators:
- Unusual annotation values in Ingress resources
- Controller logs showing configuration parsing errors
Network Indicators:
- Unexpected outbound connections from ingress controller
SIEM Query:
source="kubernetes" AND (resource.type="ingress" AND annotation.auth-proxy-set-headers CONTAINS "$" OR annotation.auth-proxy-set-headers CONTAINS "{")