CVE-2025-14727 Overview
CVE-2025-14727 is a path traversal vulnerability in F5 NGINX Ingress Controller. The flaw exists in the validation logic for the nginx.org/rewrite-target annotation. An authenticated attacker with low privileges can abuse the annotation to manipulate request routing and access resources outside the intended scope. The weakness is classified under [CWE-22] (Improper Limitation of a Pathname to a Restricted Directory). F5 documents the issue in F5 Security Article K000158176. Software versions that have reached End of Technical Support (EoTS) were not evaluated.
Critical Impact
Attackers with privileges to create or modify Ingress resources can bypass rewrite-target validation, exposing backend services and sensitive data through manipulated routing paths.
Affected Products
- F5 NGINX Ingress Controller 5.3.0
- Deployments using the nginx.org/rewrite-target annotation
- Kubernetes clusters running affected NGINX Ingress Controller versions
Discovery Timeline
- 2025-12-17 - CVE-2025-14727 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2025-14727
Vulnerability Analysis
The vulnerability resides in how NGINX Ingress Controller validates the nginx.org/rewrite-target annotation on Ingress resources. The controller generates NGINX configuration from Kubernetes Ingress objects. Insufficient validation of the annotation value allows specially crafted input to alter the resulting NGINX directives.
A low-privileged attacker who can create or update Ingress objects in a namespace can supply malicious rewrite targets. The attack does not require user interaction and can be triggered over the network through standard Kubernetes API access.
The vulnerability impacts confidentiality and integrity of backend services routed by the ingress. Attackers can redirect traffic, expose internal endpoints, or reach paths the cluster operator never intended to publish.
Root Cause
The root cause is improper limitation of a pathname to a restricted directory [CWE-22]. The annotation parser fails to neutralize traversal sequences and directive-breaking characters before injecting the value into the generated NGINX server block configuration.
Attack Vector
Exploitation requires Kubernetes RBAC permissions to create or modify Ingress objects in at least one namespace. The attacker submits an Ingress manifest containing a crafted nginx.org/rewrite-target annotation. Once the controller reconciles the object, the malicious rewrite directive becomes active in the data plane. Subsequent HTTP requests follow the attacker-controlled routing logic.
No verified public exploit code or proof of concept is currently available. Refer to the F5 Security Article K000158176 for vendor technical details.
Detection Methods for CVE-2025-14727
Indicators of Compromise
- Ingress resources containing unusual nginx.org/rewrite-target values with traversal sequences such as ../ or embedded NGINX directives
- Unexpected 200 responses on backend paths that should not be externally routable
- NGINX access logs showing requests resolving to internal services without corresponding Ingress path rules
- Recent Ingress object creation or modification by service accounts outside the normal CI/CD pipeline
Detection Strategies
- Audit all Ingress manifests across namespaces for non-standard nginx.org/rewrite-target annotation values
- Implement admission control policies (OPA Gatekeeper, Kyverno) that validate annotation contents against an allowlist
- Compare deployed NGINX configuration with expected output to identify injected directives
- Review Kubernetes audit logs for Ingress create and update events from unexpected principals
Monitoring Recommendations
- Forward Kubernetes API audit logs and NGINX Ingress Controller logs to a centralized SIEM for correlation
- Alert on changes to Ingress annotations in production namespaces
- Track NGINX Ingress Controller version inventory across clusters to identify unpatched instances
- Monitor for anomalous east-west traffic patterns originating from the ingress data plane
How to Mitigate CVE-2025-14727
Immediate Actions Required
- Identify all NGINX Ingress Controller deployments and confirm the running version
- Upgrade to a fixed release as published in F5 Security Article K000158176
- Restrict RBAC permissions for creating or modifying Ingress objects to trusted principals only
- Review existing Ingress resources for suspicious nginx.org/rewrite-target values and remediate
Patch Information
F5 has published remediation guidance in F5 Security Article K000158176. Operators should follow the vendor advisory for fixed version numbers and upgrade procedures. Note that versions which have reached End of Technical Support (EoTS) were not evaluated and may remain vulnerable.
Workarounds
- Disable use of the nginx.org/rewrite-target annotation in environments where it is not required
- Enforce admission policies that block or sanitize the annotation value before objects are persisted
- Apply namespace-scoped RBAC to prevent low-trust workloads from creating Ingress resources
- Use a dedicated GitOps workflow with code review for all Ingress changes to reduce abuse of API access
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
