CVE-2025-15566
Arbitrary Code Execution via Auth-Proxy Header Injection in ingress-nginx
Publication date: 2026-02-06
Last updated on: 2026-02-06
Assigner: Kubernetes
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ingress-nginx | ingress-nginx | to 1.13.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-15566 is a security vulnerability in ingress-nginx related to the `nginx.ingress.kubernetes.io/auth-proxy-set-headers` Ingress annotation.
This annotation can be exploited to inject arbitrary configuration into the nginx setup managed by ingress-nginx.
An attacker can use this to execute arbitrary code within the context of the ingress-nginx controller and potentially disclose Kubernetes Secrets accessible to the controller.
By default, the ingress-nginx controller has cluster-wide access to all Secrets, which increases the severity of this issue.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can allow an attacker to execute arbitrary code in the ingress-nginx controller's context."}, {'type': 'paragraph', 'content': 'It can also lead to the disclosure of Kubernetes Secrets that the controller can access.'}, {'type': 'paragraph', 'content': 'Since the ingress-nginx controller typically has cluster-wide access to Secrets, this can result in a significant compromise of sensitive information.'}, {'type': 'paragraph', 'content': 'The CVSS score of 8.8 indicates a high severity with impacts on confidentiality, integrity, and availability.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of exploitation attempts can be done by monitoring for suspicious data within ConfigMaps passed to the `auth-proxy-set-headers` annotation in Ingress resources.'}, {'type': 'paragraph', 'content': 'You can inspect your Kubernetes Ingress resources for the presence of the `nginx.ingress.kubernetes.io/auth-proxy-set-headers` annotation and review the associated ConfigMaps for unexpected or malicious configuration entries.'}, {'type': 'list_item', 'content': 'kubectl get ingress --all-namespaces -o json | jq \'.items[] | select(.metadata.annotations."nginx.ingress.kubernetes.io/auth-proxy-set-headers" != null) | {namespace: .metadata.namespace, name: .metadata.name, authProxySetHeaders: .metadata.annotations."nginx.ingress.kubernetes.io/auth-proxy-set-headers"}\''}, {'type': 'list_item', 'content': 'kubectl get configmap <configmap-name> -n <namespace> -o yaml'}, {'type': 'paragraph', 'content': 'These commands help identify Ingress resources using the vulnerable annotation and allow inspection of the ConfigMaps they reference to detect suspicious or unauthorized configuration injections.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade ingress-nginx to version v1.12.5, v1.13.1, or any later release where this vulnerability has been patched.
Additionally, review and restrict the use of the `nginx.ingress.kubernetes.io/auth-proxy-set-headers` annotation in your Ingress resources to prevent unauthorized configuration injection.
Limit the permissions of the ingress-nginx controller to only the necessary Secrets and resources it requires, reducing the potential impact of any exploitation.