CVE-2025-24513 Overview
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where attacker-provided data are included in a filename by the ingress-nginx Admission Controller feature, resulting in directory traversal within the container. This could result in denial of service, or when combined with other vulnerabilities, limited disclosure of Secret objects from the cluster.
Critical Impact
Potential for denial of service and data exposure in Kubernetes clusters.
Affected Products
- ingress-nginx
Discovery Timeline
- Not Available - Vulnerability discovered by Not Available
- Not Available - Responsible disclosure to Not Available
- Not Available - CVE CVE-2025-24513 assigned
- Not Available - Not Available releases security patch
- 2025-03-25 - CVE CVE-2025-24513 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2025-24513
Vulnerability Analysis
This vulnerability arises from the ingress-nginx Admission Controller feature including attacker-controlled data in filenames. Such an inclusion allows for a directory traversal attack, providing a way for attackers to gain unintended access to directory contents in the container, potentially leading to denial of service and limited data exposure.
Root Cause
Improper handling and sanitization of user-provided input within the filename generation logic of the ingress-nginx Admission Controller component.
Attack Vector
Network-based attack utilizing the ingress-nginx service to insert crafted inputs resulting in unauthorized directory traversal.
# Example exploitation code (sanitized)
path="..%2f..%2f..%2f..%2fetc%2fpasswd"
curl -G "http://vulnerable-server/api/" --data-urlencode "file=${path}"
Detection Methods for CVE-2025-24513
Indicators of Compromise
- Unusual files or logs located within ingress-nginx containers
- Unexpected denial of service conditions in applications utilizing ingress-nginx
Detection Strategies
Regularly audit ingress-nginx logs and configurations for entries containing path traversal patterns (e.g., ../../). Implement file integrity monitoring to flag unauthorized access to sensitive files.
Monitoring Recommendations
Set up alerts for modifications to core system files in ingress-nginx containers, and monitor network traffic for signs of directory traversal attempts.
How to Mitigate CVE-2025-24513
Immediate Actions Required
- Remove the vulnerable ingress-nginx versions from the production environment.
- Disable the ingress-nginx Admission Controller until patched versions are deployed.
- Regularly scan for and address potential security misconfigurations.
Patch Information
Apply the official patches provided by the Kubernetes community as soon as they are released. Additionally, verify secure configuration settings post-patch deployment.
Workarounds
Ensure proper input validation and sanitization are implemented when handling user-provided data.
# Configuration example
location / {
proxy_pass http://localhost:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
secure_file_priv=/var/empty;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
