CVE-2025-1097: ingress-nginx controller - configuration injection via unsanitized auth-tls-match-cn annotation
First published: Mon Mar 24 2025(Updated: )
<p>Ingress Controllers play a critical role within Kubernetes clusters by enabling the functionality of Ingress resources.</p> <p>Azure Kubernetes Service (AKS) is aware of several security vulnerabilities affecting the Kubernetes ingress-nginx controller, including CVE-2025-1098, CVE-2025-1974, CVE-2025-1097, CVE-2025-24514, and CVE-2025-24513.</p> <p>Customers running this controller on their AKS clusters are advised to update to the latest patched versions (v1.11.5 and v1.12.1) to mitigate potential risks.</p>
Credit: jordan@liggitt.net
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Microsoft Azure Kubernetes Service Node on Azure Linux | ||
| go/k8s.io/ingress-nginx | >=1.12.0-beta.0<1.12.1 | 1.12.1 |
| go/k8s.io/ingress-nginx | <1.11.5 | 1.11.5 |
| F5 BIG-IP Next Central Manager |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-1097 (Advisory)
- https://github.com/kubernetes/kubernetes/issues/131007
- https://www.theregister.com/2025/03/25/kubernetes_flaw_rce_risk/
- https://nvd.nist.gov/vuln/detail/CVE-2025-1097
- https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.11.5
- https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.12.1
- https://groups.google.com/g/kubernetes-security-announce/c/2qa9DFtN0cQ
- https://github.com/advisories/GHSA-823x-fv5p-h7hw (Advisory)
- https://my.f5.com/manage/s/article/K000150538
Peer vulnerabilities
(Found alongside the following vulnerabilities)
Frequently Asked Questions
What is the severity of CVE-2025-1097?
CVE-2025-1097 is considered a high severity vulnerability that can potentially allow remote code execution.
How do I fix CVE-2025-1097?
To mitigate CVE-2025-1097, upgrade your ingress-nginx controller to the latest versions where the vulnerability is patched.
What are the potential impacts of CVE-2025-1097?
CVE-2025-1097 can lead to unauthorized access and control over the Kubernetes environment, impacting application security.
Which software is affected by CVE-2025-1097?
CVE-2025-1097 affects the Kubernetes ingress-nginx controller within Azure Kubernetes Service.
How can organizations detect CVE-2025-1097?
Organizations can detect CVE-2025-1097 by performing vulnerability assessments and reviewing the versions of their ingress-nginx controllers.
- collector/msrc
- source/Microsoft
- collector/msrc-cve
- agent/type
- agent/first-publish-date
- agent/software-canonical-lookup
- collector/the-register
- source/The Register
- alias/CVE-2025-1974
- alias/CVE-2025-1097
- alias/CVE-2025-1098
- alias/CVE-2025-24514
- alias/CVE-2025-24513
- agent/title
- agent/author
- agent/weakness
- agent/trending
- agent/source
- agent/references
- agent/description
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-823x-fv5p-h7hw
- agent/event
- agent/softwarecombine
- agent/news-ai
- agent/severity
- agent/tags
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- collector/mitre-cve
- source/MITRE
- collector/nvd-cve
- collector/f5-advisory
- source/F5
- vendor/microsoft
- canonical/microsoft azure kubernetes service node on azure linux
- package-manager/go
- vendor/f5