Wiz
Vulnerability DatabaseCVE-2025-1098

CVE-2025-1098
Ingress NGINX Controller (community-driven) vulnerability analysis and mitigation

Overview

A critical security vulnerability (CVE-2025-1098) was discovered in ingress-nginx (https://github.com/kubernetes/ingress-nginx) where the mirror-target and mirror-host Ingress annotations can be used to inject arbitrary configuration into nginx. The vulnerability was disclosed on March 24, 2025, and affects all versions of ingress-nginx prior to versions 1.12.1, 1.11.5, and 1.10.7 (Kubernetes Issue, NVD).

Technical details

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue stems from improper input validation (CWE-20) in the admission controller component of the Ingress NGINX Controller for Kubernetes. The vulnerability allows attackers to inject arbitrary NGINX configuration remotely by sending malicious ingress objects directly to the admission controller (Hacker News).

Impact

Successful exploitation of this vulnerability can lead to arbitrary code execution in the context of the ingress-nginx controller and disclosure of Secrets accessible to the controller. In the default installation, the controller has access to all Secrets cluster-wide, potentially resulting in complete cluster takeover. The vulnerability affects over 6,500 clusters that expose the component to the public internet (Hacker News).

Mitigation and workarounds

Users are strongly advised to upgrade to ingress-nginx versions 1.12.1, 1.11.5, or 1.10.7 or later. Additional mitigation steps include ensuring that the admission webhook endpoint is not exposed externally and limiting access to the admission controller to only the Kubernetes API Server. If not needed, the admission controller component can be temporarily disabled (Kubernetes Issue).

Community reactions

The vulnerability was discovered and reported by security researchers Nir Ohfeld, Ronen Shustin, Sagi Tzadik, and Hillai Ben Sasson from cloud security firm Wiz. The issue was subsequently fixed and coordinated by Marco Ebert, James Strong, Tabitha Sable, and the Kubernetes Security Response Committee (Kubernetes Issue).

Additional resources

SourceThis report was generated using AI

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues

Cloud threat landscape

Cloud threat landscape

A comprehensive threat intelligence database of cloud security incidents, actors, tools and techniques

PEACH

PEACH

A step-by-step framework for modeling and improving SaaS and PaaS tenant isolation

Get a personalized demo

Ready to see Wiz in action?

“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo