CVE-2025-1098 Affecting ingress-nginx-controller-1.12 package, versions <1.12.1-r14
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CHAINGUARDLATEST-INGRESSNGINXCONTROLLER112-9519386
- published26 Mar 2025
- disclosed25 Mar 2025
Introduced: 25 Mar 2025
NewCVE-2025-1098 (opens in a new tab)How to fix?
Upgrade Chainguard ingress-nginx-controller-1.12 to version 1.12.1-r14 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream ingress-nginx-controller-1.12 package and not the ingress-nginx-controller-1.12 package as distributed by Chainguard.
See How to fix? for Chainguard relevant fixed versions and status.
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the mirror-target and mirror-host Ingress annotations can be used to inject arbitrary configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)