CVE-2025-24513
📋 TL;DR
A directory traversal vulnerability in ingress-nginx's Admission Controller allows attackers to manipulate filenames to access files outside intended directories. This affects Kubernetes clusters using ingress-nginx with the Admission Controller feature enabled. Attackers could cause denial of service or potentially access Secret objects when combined with other vulnerabilities.
💻 Affected Systems
- ingress-nginx
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete cluster compromise through disclosure of sensitive Secret objects, leading to lateral movement and data exfiltration.
Likely Case
Denial of service through file system manipulation and potential limited information disclosure from container files.
If Mitigated
Minimal impact with proper network segmentation and Admission Controller restrictions.
🎯 Exploit Status
Exploitation requires knowledge of Kubernetes environment and access to Admission Controller endpoint. No public exploit code has been observed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check latest ingress-nginx releases for fix
Vendor Advisory: https://github.com/kubernetes/ingress-nginx/security/advisories
Restart Required: Yes
Instructions:
1. Update ingress-nginx to latest patched version. 2. Restart ingress-nginx controller pods. 3. Verify Admission Controller functionality.
🔧 Temporary Workarounds
Disable Admission Controller
linuxTemporarily disable the vulnerable Admission Controller feature
kubectl edit deployment ingress-nginx-controller -n ingress-nginx
Remove or comment out Admission Controller configuration
Restrict Network Access
linuxLimit network access to Admission Controller endpoint
kubectl apply network policies to restrict access to ingress-nginx namespace
🧯 If You Can't Patch
- Implement strict network policies to limit access to Admission Controller endpoint
- Disable Admission Controller feature entirely until patching is possible
🔍 How to Verify
Check if Vulnerable:
Check if Admission Controller is enabled in ingress-nginx configuration: kubectl get configmap ingress-nginx-controller -n ingress-nginx -o yaml | grep admissionCheck Version:
kubectl describe pod -l app.kubernetes.io/name=ingress-nginx -n ingress-nginx | grep ImageVerify Fix Applied:
Verify ingress-nginx version is updated and test Admission Controller functionality with valid requests📡 Detection & Monitoring
Log Indicators:
- Unusual file path patterns in Admission Controller logs
- Failed directory traversal attempts in nginx logs
- Unexpected file access patterns
Network Indicators:
- Unusual traffic patterns to Admission Controller endpoint
- Multiple failed validation requests
SIEM Query:
source="ingress-nginx" AND ("admission" OR "validation") AND (".." OR "%2e%2e" OR path_traversal)