CVE-2025-24513: ingress-nginx controller - auth secret file path traversal vulnerability
First published: Mon Mar 24 2025(Updated: )
<p>Ingress Controllers play a critical role within Kubernetes clusters by enabling the functionality of Ingress resources.</p> <p>Azure Kubernetes Service (AKS) is aware of several security vulnerabilities affecting the Kubernetes ingress-nginx controller, including CVE-2025-1098, CVE-2025-1974, CVE-2025-1097, CVE-2025-24514, and CVE-2025-24513.</p> <p>Customers running this controller on their AKS clusters are advised to update to the latest patched versions (v1.11.5 and v1.12.1) to mitigate potential risks.</p>
Credit: jordan@liggitt.net
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Microsoft Azure Kubernetes Service Node on Azure Linux | ||
| go/k8s.io/ingress-nginx | >=1.12.0-beta.0<1.12.1 | 1.12.1 |
| go/k8s.io/ingress-nginx | <1.11.5 | 1.11.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24513 (Advisory)
- https://github.com/kubernetes/kubernetes/issues/131005
- https://www.theregister.com/2025/03/25/kubernetes_flaw_rce_risk/
- https://nvd.nist.gov/vuln/detail/CVE-2025-24513
- https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.11.5
- https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.12.1
- https://groups.google.com/g/kubernetes-security-announce/c/2qa9DFtN0cQ
- https://github.com/advisories/GHSA-242m-6h72-7hgp (Advisory)
Peer vulnerabilities
(Found alongside the following vulnerabilities)
Frequently Asked Questions
What is the severity of CVE-2025-24513?
CVE-2025-24513 is classified as a high-severity vulnerability due to its potential impact on Kubernetes clusters.
How do I fix CVE-2025-24513?
To fix CVE-2025-24513, you should update the ingress-nginx controller to the latest stable version.
What versions are affected by CVE-2025-24513?
CVE-2025-24513 affects specific versions of the ingress-nginx controller running on Azure Kubernetes Service.
What is the impact of CVE-2025-24513?
The impact of CVE-2025-24513 could potentially allow an attacker to execute arbitrary code in a Kubernetes environment.
Is there a workaround for CVE-2025-24513?
A temporary workaround for CVE-2025-24513 includes enhancing network policies to restrict access to affected services.
- collector/msrc
- source/Microsoft
- collector/msrc-cve
- agent/type
- agent/first-publish-date
- agent/software-canonical-lookup
- collector/the-register
- source/The Register
- alias/CVE-2025-1974
- alias/CVE-2025-1097
- alias/CVE-2025-1098
- alias/CVE-2025-24514
- alias/CVE-2025-24513
- agent/title
- agent/author
- agent/weakness
- agent/references
- agent/softwarecombine
- agent/source
- agent/description
- agent/trending
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-242m-6h72-7hgp
- agent/event
- agent/news-ai
- agent/severity
- agent/tags
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- collector/mitre-cve
- source/MITRE
- collector/nvd-cve
- collector/github-advisory
- vendor/microsoft
- canonical/microsoft azure kubernetes service node on azure linux
- package-manager/go