SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2025-1097

CVE-2025-1097: Ingress-NGINX Config Injection RCE Flaw

CVE-2025-1097 is a configuration injection vulnerability in ingress-nginx that enables remote code execution and Secret disclosure. Attackers exploit the auth-tls-match-cn annotation to inject malicious code. This article covers technical details, affected versions, impact on Kubernetes clusters, and mitigation strategies.

Updated:

CVE-2025-1097 Overview

A security issue was discovered in ingress-nginx where the auth-tls-match-cn Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. In default installations, the controller can access all Secrets cluster-wide.

Critical Impact

The vulnerability allows remote attackers to execute arbitrary code and access sensitive information.

Affected Products

  • ingress-nginx

Discovery Timeline

  • 2025-03-25 - CVE CVE-2025-1097 published to NVD
  • 2025-11-03 - Last updated in NVD database

Technical Details for CVE-2025-1097

Vulnerability Analysis

The vulnerability arises from improper input validation in the auth-tls-match-cn annotation, allowing attackers to inject malicious configuration into nginx.

Root Cause

Improper input validation concerning the parsing of auth-tls-match-cn annotation.

Attack Vector

The attack is conducted remotely over the network.

nginx
# Example exploitation code (sanitized)
location / {
    allow 1.2.3.4; # Malicious IP
    deny all;
    auth-tls-match-cn off; # Configuration injection
}

Detection Methods for CVE-2025-1097

Indicators of Compromise

  • Unauthorized modification of nginx configuration files
  • Suspicious access logs indicating unauthorized IP connections
  • Unexplained changes to the auth-tls-match-cn annotation

Detection Strategies

Monitor for changes in Ingress annotations and nginx configuration. Use centralized logging to detect unauthorized access or modifications.

Monitoring Recommendations

Implement monitoring of nginx logs and regularly audit Ingress configurations for unexpected changes.

How to Mitigate CVE-2025-1097

Immediate Actions Required

  • Restrict access to modify Ingress objects
  • Validate and sanitize all Ingress configurations
  • Implement network-level controls to limit access

Patch Information

Regularly check vendor advisories and apply any security patches released for ingress-nginx.

Workarounds

Disable the auth-tls-match-cn feature until a patch is applied.

bash
# Configuration example
ingress-nginx --set controller.config.auth-tls-match-cn="off"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne