Executive Summary

CVE-2025-15566 is a security vulnerability in ingress-nginx related to the `nginx.ingress.kubernetes.io/auth-proxy-set-headers` Ingress annotation.

This annotation can be exploited to inject arbitrary configuration into the nginx setup managed by ingress-nginx.

An attacker can use this to execute arbitrary code within the context of the ingress-nginx controller and potentially disclose Kubernetes Secrets accessible to the controller.

By default, the ingress-nginx controller has cluster-wide access to all Secrets, which increases the severity of this issue.

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can allow an attacker to execute arbitrary code in the ingress-nginx controller's context."}, {'type': 'paragraph', 'content': 'It can also lead to the disclosure of Kubernetes Secrets that the controller can access.'}, {'type': 'paragraph', 'content': 'Since the ingress-nginx controller typically has cluster-wide access to Secrets, this can result in a significant compromise of sensitive information.'}, {'type': 'paragraph', 'content': 'The CVSS score of 8.8 indicates a high severity with impacts on confidentiality, integrity, and availability.'}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of exploitation attempts can be done by monitoring for suspicious data within ConfigMaps passed to the `auth-proxy-set-headers` annotation in Ingress resources.'}, {'type': 'paragraph', 'content': 'You can inspect your Kubernetes Ingress resources for the presence of the `nginx.ingress.kubernetes.io/auth-proxy-set-headers` annotation and review the associated ConfigMaps for unexpected or malicious configuration entries.'}, {'type': 'list_item', 'content': 'kubectl get ingress --all-namespaces -o json | jq \'.items[] | select(.metadata.annotations."nginx.ingress.kubernetes.io/auth-proxy-set-headers" != null) | {namespace: .metadata.namespace, name: .metadata.name, authProxySetHeaders: .metadata.annotations."nginx.ingress.kubernetes.io/auth-proxy-set-headers"}\''}, {'type': 'list_item', 'content': 'kubectl get configmap <configmap-name> -n <namespace> -o yaml'}, {'type': 'paragraph', 'content': 'These commands help identify Ingress resources using the vulnerable annotation and allow inspection of the ConfigMaps they reference to detect suspicious or unauthorized configuration injections.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade ingress-nginx to version v1.12.5, v1.13.1, or any later release where this vulnerability has been patched.

Additionally, review and restrict the use of the `nginx.ingress.kubernetes.io/auth-proxy-set-headers` annotation in your Ingress resources to prevent unauthorized configuration injection.

Limit the permissions of the ingress-nginx controller to only the necessary Secrets and resources it requires, reducing the potential impact of any exploitation.

Useful 0 Not Useful 0