CVE-2025-24513
MEDIUMingress-nginx < 1.11.5 and 1.12.0 - Directory Traversal via Admission Controller Filename Handling
Title source: llmDescription
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where attacker-provided data are included in a filename by the ingress-nginx Admission Controller feature, resulting in directory traversal within the container. This could result in denial of service, or when combined with other vulnerabilities, limited disclosure of Secret objects from the cluster.
References (2)
Core 2
Core References
Issue Tracking
https://github.com/kubernetes/kubernetes/issues/131005
Vendor Advisory
https://security.netapp.com/advisory/ntap-20250328-0008/
Scores
CVSS v3
4.8
EPSS
0.0348
EPSS Percentile
87.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-20
Status
published
Products (3)
k8s.io/ingress-nginx
0 - 1.11.5Go
kubernetes/ingress-nginx
< 1.11.4
kubernetes/ingress-nginx
1.12.0
Published
Mar 25, 2025
Tracked Since
Feb 18, 2026