CVE-2025-1098

HIGH NUCLEI

Kubernetes ingress-nginx mirror annotations - Controller Code Execution

Title source: manual

Exploitation Summary

EIP tracks 4 public exploits for CVE-2025-1098. PoCs published by Beatriz Fresno Naumova, hakaioffsec, Esonhugh. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates a file descriptor injection vulnerability in the Ingress-NGINX Admission Controller, leading to remote code execution by uploading a malicious shared object and brute-forcing file descriptors.

Description

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `mirror-target` and `mirror-host` Ingress annotations can be used to inject arbitrary configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

Exploits (4)

exploitdb WORKING POC

by Beatriz Fresno Naumova · textremotemultiple

https://www.exploit-db.com/exploits/52475

View Code ZIP pw:eip

This exploit demonstrates a file descriptor injection vulnerability in the Ingress-NGINX Admission Controller, leading to remote code execution by uploading a malicious shared object and brute-forcing file descriptors.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Ingress-NGINX Admission Controller v1.10.0 to v1.11.1

No auth needed

Prerequisites: Access to the admission webhook URL · Ability to upload a malicious shared object to the ingress controller

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

github WORKING POC 248 stars

by hakaioffsec · pythonpoc

https://github.com/hakaioffsec/IngressNightmare-PoC

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2025-1098, targeting unauthenticated RCE in the Ingress NGINX Controller for Kubernetes. The exploit compiles a malicious shared object, uploads it via a crafted HTTP request with mismatched Content-Length, and brute-forces file descriptors to trigger execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Ingress NGINX Controller for Kubernetes (versions prior to 1.12.1 or 1.11.5)

No auth needed

Prerequisites: Python 3.x · GCC compiler · access to target Ingress URL and admission webhook URL

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 19, 2026 Full analysis →

github WORKING POC 92 stars

by Esonhugh · gopoc

https://github.com/Esonhugh/ingressNightmare-CVE-2025-1974-exps

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2025-1907, targeting Kubernetes ingress-nginx. The exploit leverages a vulnerability in the handling of HTTP requests to achieve remote code execution by manipulating temporary files and admission webhook configurations.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: kubernetes/ingress-nginx

No auth needed

Prerequisites: Access to the ingress-nginx controller admission webhook URL · Access to the upload URL for sending crafted requests

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 19, 2026 Full analysis →

github WORKING POC 9 stars

by lufeirider · pythonpoc

https://github.com/lufeirider/IngressNightmare-PoC

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2025-1098, targeting a Kubernetes Ingress vulnerability. The exploit uses a crafted AdmissionReview request to achieve remote code execution (RCE) via a base64-encoded payload.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Kubernetes Ingress (specific version not specified)

Auth required

Prerequisites: Access to a Kubernetes cluster with Ingress configured · Permissions to send AdmissionReview requests

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 19, 2026 Full analysis →

Nuclei Templates (1)

Ingress-Nginx Controller - Configuration Injection via Unsanitized Mirror Annotations

HIGHVERIFIEDby UNC1739

Shodan: ssl:"ingress-nginx" port:8443

References (3)

Core 3

Core References

Exploit, Third Party Advisory

https://www.exploit-db.com/exploits/52475

Issue Tracking

https://github.com/kubernetes/kubernetes/issues/131008

Vendor Advisory

https://security.netapp.com/advisory/ntap-20250328-0008/

Scores

CVSS v3 8.8

EPSS 0.8431

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-20

Status published

Products (3)

k8s.io/ingress-nginx 0 - 1.11.5Go

kubernetes/ingress-nginx < 1.11.4

kubernetes/ingress-nginx 1.12.0

Published Mar 25, 2025

Tracked Since Feb 18, 2026