Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2025-24513
CVE-2025-24513:
Ingress NGINX Controller (community-driven) vulnerability analysis and mitigation
Overview
A security vulnerability (CVE-2025-24513) was discovered in ingress-nginx, a popular Kubernetes ingress controller. The vulnerability was disclosed on March 24, 2025, affecting the ingress-nginx Admission Controller feature where attacker-provided data could be included in a filename, resulting in directory traversal within the container. This vulnerability affects ingress-nginx versions prior to v1.11.5 and v1.12.1 (Kubernetes Issue, NVD).
Technical details
The vulnerability has been assigned a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L. The issue stems from improper input validation (CWE-20) in the admission controller component, which processes incoming ingress objects before they are deployed. The admission controller is accessible over the network without authentication, making it an appealing attack vector (Wiz Blog, Hacker News).
Impact
The exploitation of this vulnerability could result in denial of service conditions or, when combined with other vulnerabilities, limited disclosure of Secret objects from the cluster. According to research, approximately 43% of cloud environments are vulnerable to this issue, with over 6,500 clusters, including Fortune 500 companies, potentially exposed (Wiz Blog, Hacker News).
Mitigation and workarounds
Organizations are advised to upgrade to ingress-nginx versions v1.11.5, v1.12.1, or later. If immediate upgrading is not possible, temporary mitigation can be achieved by disabling the admission controller component of ingress-nginx. Additionally, organizations should enforce strict network policies to ensure only the Kubernetes API Server can access the admission controller and verify that the admission webhook endpoint is not exposed externally (Kubernetes Issue, Wiz Blog).
Community reactions
The vulnerability was discovered and reported by security researchers Nir Ohfeld and Ronen Shustin from Wiz. The issue was subsequently fixed and coordinated by Marco Ebert, James Strong, Tabitha Sable, and the Kubernetes Security Response Committee. Major cloud providers including Amazon and Google Cloud have published their own advisories in response to this vulnerability (Wiz Blog).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management