Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2025-24514
CVE-2025-24514:
Ingress NGINX Controller (community-driven) vulnerability analysis and mitigation
Overview
A critical security vulnerability (CVE-2025-24514) was discovered in the ingress-nginx controller for Kubernetes, where the auth-url Ingress annotation can be used to inject configuration into nginx. This vulnerability was reported by researchers from Wiz and affects the ingress-nginx controller, potentially impacting over 6,500 clusters exposed to the public internet. The vulnerability was disclosed on March 24, 2025, and has been assigned a CVSS v3.1 score of 8.8 (High) (NVD, Hacker News).
Technical details
The vulnerability stems from improper input validation (CWE-20) in the ingress-nginx controller's handling of the auth-url Ingress annotation. When exploited, it allows attackers to inject arbitrary configuration into NGINX, which can lead to code execution in the context of the ingress-nginx controller. The vulnerability is particularly severe because, in default installations, the controller has access to all Secrets cluster-wide (GitHub Issue, NVD).
Impact
The successful exploitation of this vulnerability can result in arbitrary code execution in the context of the ingress-nginx controller and disclosure of Secrets accessible to the controller. In default installations where the controller has cluster-wide access to Secrets, this could lead to complete cluster takeover. The vulnerability affects approximately 43% of cloud environments (Hacker News).
Mitigation and workarounds
The vulnerability has been patched in ingress-nginx controller versions 1.12.1, 1.11.5, and 1.10.7. Users are strongly advised to upgrade to these versions or later. As a temporary mitigation, users can enable the enable-annotation-validation CLI argument (enabled by default from v1.12.0) and ensure that the admission webhook endpoint is not exposed externally (GitHub Issue, Hacker News).
Community reactions
AWS has proactively notified customers who were identified as having the affected controller installed, though Amazon EKS itself does not provide or install the ingress-nginx controller by default. The vulnerability was discovered and reported by security researchers Nir Ohfeld, Ronen Shustin, and Sagi Tzadik from Wiz (AWS Bulletin).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management