CVE-2025-24513 – k8s.io/ingress-nginx

Package

Manager: go
Name: k8s.io/ingress-nginx
Vulnerable Version: >=0 <1.11.5 || >=1.12.0-beta.0 <1.12.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00025 pctl0.05449

Details

ingress-nginx controller - auth secret file path traversal vulnerability A security issue was discovered in [ingress-nginx](https://github.com/kubernetes/ingress-nginx) where attacker-provided data are included in a filename by the ingress-nginx Admission Controller feature, resulting in directory traversal within the container. This could result in denial of service, or when combined with other vulnerabilities, limited disclosure of Secret objects from the cluster.

Metadata

Created: 2025-03-25T00:30:26Z
Modified: 2025-03-25T15:10:08Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-242m-6h72-7hgp/GHSA-242m-6h72-7hgp.json
CWE IDs: ["CWE-20", "CWE-22"]
Alternative ID: GHSA-242m-6h72-7hgp
Finding: F063
Auto approve: 1