Arbitrary Code Execution Vulnerability in Ingress-Nginx by Kubernetes
CVE-2025-1098
8.8HIGH
What is CVE-2025-1098?
A security issue was identified in ingress-nginx affecting Kubernetes deployments, where the mirror-target
and mirror-host
annotations could be exploited to inject malicious configuration into the Nginx controller. This could result in arbitrary code execution under the privileges of the ingress-nginx controller, enabling the potential disclosure of Secrets accessible to it. Given that the default configuration allows the controller to retrieve all Secrets across the cluster, this vulnerability poses a significant risk to the integrity and confidentiality of sensitive data.
Affected Version(s)
ingress-nginx 0 <= 1.11.4
ingress-nginx 1.12.0