CVE-2025-15566

HIGH

Kubernetes ingress-nginx auth-proxy-set-headers - Controller Code Execution

Title source: manual
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-15566. PoCs published by exploitintel.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2025-15566, demonstrating remote code execution (RCE) in ingress-nginx via unvalidated ConfigMap values. The PoC includes a Docker-based lab environment and scripts to trigger RCE via an injected Lua endpoint.

Description

A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-proxy-set-headers` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

Exploits (1)

github WORKING POC 2 stars
by exploitintel · cpoc
https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2025-15566

This repository contains a functional exploit PoC for CVE-2025-15566, demonstrating remote code execution (RCE) in ingress-nginx via unvalidated ConfigMap values. The PoC includes a Docker-based lab environment and scripts to trigger RCE via an injected Lua endpoint.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: ingress-nginx < 1.12.5, < 1.13.1
No auth needed
Prerequisites: Kubernetes RBAC permissions to create ConfigMaps and Ingress resources
devstral-2 · analyzed Mar 14, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v3 8.8
EPSS 0.0006
EPSS Percentile 19.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-20
Status published
Products (2)
Kubernetes/ingress-nginx < 1.12.5
Kubernetes/ingress-nginx < 1.13.1
Published Feb 06, 2026
Tracked Since Feb 18, 2026