CVE-2025-59303
📋 TL;DR
HAProxy Kubernetes Ingress Controller versions before 3.1.13 with config-snippets feature enabled allow users with create/update permissions to inject configuration snippets that can leak ingress token secrets. This affects Kubernetes clusters using vulnerable HAProxy ingress controllers with the config-snippets feature flag enabled.
💻 Affected Systems
- HAProxy Kubernetes Ingress Controller
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers with create/update permissions can obtain ingress token secrets, potentially gaining unauthorized access to cluster resources and sensitive data.
Likely Case
Authorized users or compromised accounts with appropriate permissions can exfiltrate secrets, leading to privilege escalation within the Kubernetes cluster.
If Mitigated
With proper RBAC controls limiting config-snippet permissions, impact is limited to authorized administrative users only.
🎯 Exploit Status
Requires create/update permissions and config-snippets feature enabled. No public exploit code available at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.1.13 or Enterprise: 3.0.16-ee1, 1.11.13-ee1, 1.9.15-ee1
Vendor Advisory: https://haproxy.com/blog/cve-2025-59303-haproxy-kubernetes-ingress-controller-secret-leak
Restart Required: Yes
Instructions:
1. Update HAProxy Kubernetes Ingress Controller to version 3.1.13 or appropriate Enterprise fixed version. 2. Restart the ingress controller pods. 3. Verify the update was successful.
🔧 Temporary Workarounds
Disable config-snippets feature
kubernetesDisable the config-snippets feature flag to prevent configuration snippet injection.
kubectl edit deployment haproxy-ingress-controller
Set --config-snippets=false in container args
Restrict RBAC permissions
kubernetesLimit create/update permissions for config-snippets to trusted administrators only.
Review and update Role/RoleBinding/ClusterRole resources
🧯 If You Can't Patch
- Disable config-snippets feature flag immediately
- Implement strict RBAC controls to limit who can create/update ingress resources
🔍 How to Verify
Check if Vulnerable:
Check HAProxy ingress controller version and verify config-snippets feature is enabled: kubectl get deployment haproxy-ingress-controller -o yaml | grep -A5 -B5 config-snippetsCheck Version:
kubectl describe deployment haproxy-ingress-controller | grep ImageVerify Fix Applied:
Verify version is 3.1.13 or higher (or Enterprise fixed versions) and test that config-snippets no longer leak secrets📡 Detection & Monitoring
Log Indicators:
- Unusual config-snippet POST/PUT requests
- Ingress controller returning unexpected secret data in responses
Network Indicators:
- HTTP responses containing Kubernetes secret data from ingress controller
SIEM Query:
source="haproxy-ingress" AND (message="*secret*" OR message="*config-snippet*")