SentinelOne
CVE Vulnerability Database
Vulnerability Database/CVE-2025-24514

CVE-2025-24514: ingress-nginx Auth-URL RCE Vulnerability

CVE-2025-24514 is a remote code execution vulnerability in ingress-nginx that allows attackers to inject configuration via auth-url annotation. This article covers technical details, impact on Kubernetes clusters, and mitigation.

Updated:

CVE-2025-24514 Overview

A security issue was discovered in ingress-nginx where the auth-url Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. Note that in the default installation, the controller can access all Secrets cluster-wide.

Critical Impact

This vulnerability allows attackers to execute arbitrary code and potentially access sensitive data within the Kubernetes cluster.

Affected Products

  • ingress-nginx (specific versions not detailed)

Discovery Timeline

  • Not Available - Vulnerability discovered by Not Available
  • Not Available - Responsible disclosure to Not Available
  • Not Available - CVE CVE-2025-24514 assigned
  • Not Available - Vendor releases security patch
  • 2025-03-25 - CVE CVE-2025-24514 published to NVD
  • 2025-11-03 - Last updated in NVD database

Technical Details for CVE-2025-24514

Vulnerability Analysis

The vulnerability arises from improper validation of the auth-url Ingress annotation, which allows injection of arbitrary configuration values into nginx. Exploiting this can lead to remote code execution and exposure of secrets managed by the ingress-nginx controller.

Root Cause

Improper input validation in the processing of Ingress annotations, specifically the auth-url, allowing configuration injection.

Attack Vector

This vulnerability can be exploited remotely over the network by supplying malicious annotations to an Ingress resource in the Kubernetes cluster.

nginx
# Example exploitation code
location / {
    set $auth_url "http://malicious.example.com";  # Injected URL
}

Detection Methods for CVE-2025-24514

Indicators of Compromise

  • Unexpected configuration changes in ingress-nginx
  • Anomalous network traffic to unauthorized URLs
  • Unauthorized access to Kubernetes secrets

Detection Strategies

Monitor configuration changes in ingress-nginx. Use anomaly detection to identify unusual HTTP requests or configuration changes related to auth-url annotations.

Monitoring Recommendations

Implement continuous monitoring of ingress configurations and network traffic. Use SentinelOne's Singularity™ platform to automatically detect and alert on configuration injections.

How to Mitigate CVE-2025-24514

Immediate Actions Required

  • Update ingress-nginx to the latest patched version immediately.
  • Audit ingress configurations for unauthorized auth-url annotations.
  • Implement network segmentation to limit access to secrets and sensitive endpoints.

Patch Information

Refer to ingress-nginx project's official repository and advisories for patch details.

Workarounds

Limit the permissions of ingress-nginx controller to reduce the risk of exploitation and disable annotations that are not used.

bash
# Configuration example
git clone https://github.com/kubernetes/ingress-nginx
kubectl edit deployment/ingress-nginx-controller -n ingress-nginx
# Remove or restrict 'auth-url' annotation usage

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne