SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2025-24513

CVE-2025-24513: Ingress-NGINX Path Traversal Vulnerability

CVE-2025-24513 is a path traversal vulnerability in Kubernetes ingress-nginx that enables attackers to traverse directories within containers. This article covers technical details, security impact, and mitigation strategies.

Updated:

CVE-2025-24513 Overview

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where attacker-provided data are included in a filename by the ingress-nginx Admission Controller feature, resulting in directory traversal within the container. This could result in denial of service, or when combined with other vulnerabilities, limited disclosure of Secret objects from the cluster.

Critical Impact

Potential for denial of service and data exposure in Kubernetes clusters.

Affected Products

  • ingress-nginx

Discovery Timeline

  • Not Available - Vulnerability discovered by Not Available
  • Not Available - Responsible disclosure to Not Available
  • Not Available - CVE CVE-2025-24513 assigned
  • Not Available - Not Available releases security patch
  • 2025-03-25 - CVE CVE-2025-24513 published to NVD
  • 2025-11-03 - Last updated in NVD database

Technical Details for CVE-2025-24513

Vulnerability Analysis

This vulnerability arises from the ingress-nginx Admission Controller feature including attacker-controlled data in filenames. Such an inclusion allows for a directory traversal attack, providing a way for attackers to gain unintended access to directory contents in the container, potentially leading to denial of service and limited data exposure.

Root Cause

Improper handling and sanitization of user-provided input within the filename generation logic of the ingress-nginx Admission Controller component.

Attack Vector

Network-based attack utilizing the ingress-nginx service to insert crafted inputs resulting in unauthorized directory traversal.

bash
# Example exploitation code (sanitized)
path="..%2f..%2f..%2f..%2fetc%2fpasswd"
curl -G "http://vulnerable-server/api/" --data-urlencode "file=${path}"

Detection Methods for CVE-2025-24513

Indicators of Compromise

  • Unusual files or logs located within ingress-nginx containers
  • Unexpected denial of service conditions in applications utilizing ingress-nginx

Detection Strategies

Regularly audit ingress-nginx logs and configurations for entries containing path traversal patterns (e.g., ../../). Implement file integrity monitoring to flag unauthorized access to sensitive files.

Monitoring Recommendations

Set up alerts for modifications to core system files in ingress-nginx containers, and monitor network traffic for signs of directory traversal attempts.

How to Mitigate CVE-2025-24513

Immediate Actions Required

  • Remove the vulnerable ingress-nginx versions from the production environment.
  • Disable the ingress-nginx Admission Controller until patched versions are deployed.
  • Regularly scan for and address potential security misconfigurations.

Patch Information

Apply the official patches provided by the Kubernetes community as soon as they are released. Additionally, verify secure configuration settings post-patch deployment.

Workarounds

Ensure proper input validation and sanitization are implemented when handling user-provided data.

bash
# Configuration example
location / {
    proxy_pass http://localhost:8080;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    secure_file_priv=/var/empty;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne