Improper Isolation or Compartmentalization Affecting k8s.io/ingress-nginx/internal/ingress/annotations/auth package, versions <1.11.5>=1.12.0 <1.12.1
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-GOLANG-K8SIOINGRESSNGINXINTERNALINGRESSANNOTATIONSAUTH-9512200
- published25 Mar 2025
- disclosed24 Mar 2025
- creditNir Ohfeld, Sagi Tzadik, Ronen Shustin, Hillai Ben-Sasson
Introduced: 24 Mar 2025
NewCVE-2025-1974 Â (opens in a new tab)How to fix?
Upgrade k8s.io/ingress-nginx/internal/ingress/annotations/auth to version 1.11.5, 1.12.1 or higher.
Overview
Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization in the Validating Admission Controller feature. An attacker with access to the pod network can execute code, which allows them to access stored secrets. By default, the controller can access all cluster secrets. Using this, the attacker can elevate privileges for arbitrary code execution.
Workaround
This vulnerability can be avoided by disabling the Validating Admission Controller feature. This is controlled via the Helm setting controller.admissionWebhooks.enabled=false or by taking the following actions for a manual deployment:
Delete the ValidatingWebhookconfiguration called ingress-nginx-admission.
Edit the ingress-nginx-controller Deployment or Daemonset, removing --validating-webhook from the controller container’s argument list