Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2025-1097
CVE-2025-1097:
Ingress NGINX Controller (community-driven) vulnerability analysis and mitigation
Overview
A critical security vulnerability (CVE-2025-1097) was discovered in ingress-nginx, affecting the auth-tls-match-cn Ingress annotation functionality. The vulnerability was discovered in March 2025 and affects ingress-nginx versions prior to v1.11.5 and v1.12.1. This security issue allows attackers to inject configuration into nginx through the Ingress annotation, potentially leading to arbitrary code execution and unauthorized access to cluster-wide secrets (Kubernetes Issue, Wiz Blog).
Technical details
The vulnerability exists in the ingress-nginx controller's handling of the auth-tls-match-cn Ingress annotation, where insufficient input sanitization allows for NGINX configuration injection. The issue has been assigned a CVSS v3.1 base score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability specifically affects the admission controller component which processes incoming ingress objects and validates NGINX configurations (Kubernetes Issue, Wiz Blog).
Impact
The exploitation of this vulnerability can lead to arbitrary code execution in the context of the ingress-nginx controller. This gives attackers access to all Secrets across all namespaces in the Kubernetes cluster, as the controller typically has cluster-wide secret access permissions in default installations. According to research, approximately 43% of cloud environments are vulnerable to this issue, including systems belonging to Fortune 500 companies (Wiz Blog).
Mitigation and workarounds
Organizations should immediately upgrade their ingress-nginx installations to version 1.11.5, 1.12.1, or later to address this vulnerability. If immediate upgrading is not possible, administrators can implement temporary mitigations by enforcing strict network policies to limit access to the admission controller endpoint or by temporarily disabling the admission controller component. The presence of suspicious data within the auth-tls-match-cn annotation of an Ingress resource may indicate exploitation attempts (Kubernetes Issue).
Community reactions
The vulnerability was discovered and reported by security researchers from Wiz (Nir Ohfeld, Ronen Shustin, Sagi Tzadik, and Hillai Ben Sasson). The Kubernetes security team, particularly Marco Ebert, James Strong, Tabitha Sable, and the Kubernetes Security Response Committee, coordinated the fix and response to this security issue (Kubernetes Issue).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management