CVE-2025-1098: ingress-nginx controller - configuration injection via unsanitized mirror annotations
First published: Mon Mar 24 2025(Updated: )
<p>Ingress Controllers play a critical role within Kubernetes clusters by enabling the functionality of Ingress resources.</p> <p>Azure Kubernetes Service (AKS) is aware of several security vulnerabilities affecting the Kubernetes ingress-nginx controller, including CVE-2025-1098, CVE-2025-1974, CVE-2025-1097, CVE-2025-24514, and CVE-2025-24513.</p> <p>Customers running this controller on their AKS clusters are advised to update to the latest patched versions (v1.11.5 and v1.12.1) to mitigate potential risks.</p>
Credit: jordan@liggitt.net
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Microsoft Azure Kubernetes Service Node on Azure Linux | ||
| go/k8s.io/ingress-nginx | >=1.12.0-beta.0<1.12.1 | 1.12.1 |
| go/k8s.io/ingress-nginx | <1.11.5 | 1.11.5 |
| F5 BIG-IP Next Central Manager |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-1098 (Advisory)
- https://github.com/kubernetes/kubernetes/issues/131008
- https://www.theregister.com/2025/03/25/kubernetes_flaw_rce_risk/
- https://nvd.nist.gov/vuln/detail/CVE-2025-1098
- https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.11.5
- https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.12.1
- https://groups.google.com/g/kubernetes-security-announce/c/2qa9DFtN0cQ
- https://github.com/advisories/GHSA-vg63-w3p9-jc9m (Advisory)
- https://my.f5.com/manage/s/article/K000150538
Peer vulnerabilities
(Found alongside the following vulnerabilities)
Frequently Asked Questions
What is the severity of CVE-2025-1098?
CVE-2025-1098 has been classified with a high severity level due to its potential impact on Kubernetes cluster security.
How do I fix CVE-2025-1098?
To remediate CVE-2025-1098, update the ingress-nginx controller to the latest version recommended by Microsoft.
What systems are affected by CVE-2025-1098?
CVE-2025-1098 affects Azure Kubernetes Service running the ingress-nginx controller.
What are the potential consequences of CVE-2025-1098?
Exploitation of CVE-2025-1098 could lead to remote code execution within the Kubernetes cluster.
Is there a workaround for CVE-2025-1098?
While the best solution is to apply the updates, temporarily restricting ingress resources may serve as a workaround until a patch is implemented.
- collector/msrc
- source/Microsoft
- collector/msrc-cve
- agent/type
- agent/first-publish-date
- agent/software-canonical-lookup
- collector/the-register
- source/The Register
- alias/CVE-2025-1974
- alias/CVE-2025-1097
- alias/CVE-2025-1098
- alias/CVE-2025-24514
- alias/CVE-2025-24513
- agent/title
- agent/author
- agent/weakness
- agent/trending
- agent/references
- agent/source
- agent/description
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-vg63-w3p9-jc9m
- agent/event
- agent/softwarecombine
- agent/news-ai
- agent/severity
- agent/tags
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- collector/mitre-cve
- source/MITRE
- collector/nvd-cve
- collector/f5-advisory
- source/F5
- vendor/microsoft
- canonical/microsoft azure kubernetes service node on azure linux
- package-manager/go
- vendor/f5