CVE-2025-24514

HIGH NUCLEI

ingress-nginx < 1.11.5 and 1.12.0 - Remote Code Execution via auth-url Annotation Injection

Title source: llm

Exploitation Summary

EIP tracks 5 public exploits for CVE-2025-24514. PoCs published by Beatriz Fresno Naumova, hakaioffsec, Esonhugh. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit demonstrates a file descriptor injection vulnerability in the Ingress-NGINX Admission Controller, leading to remote code execution by uploading a malicious shared object and brute-forcing file descriptors.

Description

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

Exploits (5)

exploitdb WORKING POC

by Beatriz Fresno Naumova · textremotemultiple

https://www.exploit-db.com/exploits/52475

View Code ZIP pw:eip

This exploit demonstrates a file descriptor injection vulnerability in the Ingress-NGINX Admission Controller, leading to remote code execution by uploading a malicious shared object and brute-forcing file descriptors.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Ingress-NGINX Admission Controller v1.10.0 to v1.11.1

No auth needed

Prerequisites: Access to the admission webhook URL · Ability to upload a malicious shared object to the ingress controller

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

github WORKING POC 248 stars

by hakaioffsec · pythonpoc

https://github.com/hakaioffsec/IngressNightmare-PoC

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2025-24514, targeting unauthenticated RCE in the Ingress NGINX Controller for Kubernetes. The exploit compiles a malicious shared object, uploads it via a crafted HTTP request with mismatched Content-Length, and brute-forces file descriptors to trigger execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Ingress NGINX Controller for Kubernetes

No auth needed

Prerequisites: Python 3.x · GCC compiler · access to target Ingress URL and admission webhook

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 19, 2026 Full analysis →

github WORKING POC 92 stars

by Esonhugh · gopoc

https://github.com/Esonhugh/ingressNightmare-CVE-2025-1974-exps

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2025-1974, targeting Kubernetes ingress-nginx. The exploit leverages a vulnerability in the handling of HTTP requests to achieve remote code execution by manipulating temporary files and admission webhook configurations.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: kubernetes/ingress-nginx

No auth needed

Prerequisites: Access to the ingress-nginx controller admission webhook URL · Access to the upload URL for the ingress-nginx controller

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 19, 2026 Full analysis →

github WORKING POC 9 stars

by lufeirider · pythonpoc

https://github.com/lufeirider/IngressNightmare-PoC

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2025-24514, targeting a Kubernetes Ingress vulnerability. The exploit uses a crafted AdmissionReview request with a malicious payload to achieve remote code execution (RCE) on vulnerable systems.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Kubernetes Ingress (specific version not specified)

Auth required

Prerequisites: Access to a vulnerable Kubernetes cluster · Valid authentication credentials

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec SCANNER

by KimJuhyeong95 · poc

https://github.com/KimJuhyeong95/cve-2025-24514

View Code ZIP pw:eip

This repository contains a Python-based scanner for CVE-2025-24514, which targets an ingress-nginx vulnerability allowing NGINX configuration manipulation via the `auth-url` annotation. The PoC sends a crafted HTTP request to detect potential vulnerability by checking for specific strings in the response.

Classification

Scanner 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Theoretical

Target: ingress-nginx (Kubernetes Ingress Controller)

No auth needed

Prerequisites: Target server running ingress-nginx with exposed `auth-url` annotation processing · Network access to the target server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Ingress-Nginx Controller - Configuration Injection via Unsanitized `auth-url` Annotation

HIGHVERIFIEDby iamnoooob,rootxharsh,pdresearch

Shodan: ssl:"ingress-nginx" port:8443

References (3)

Core 3

Core References

Exploit, Third Party Advisory

https://www.exploit-db.com/exploits/52475

Issue Tracking

https://github.com/kubernetes/kubernetes/issues/131006

Vendor Advisory

https://security.netapp.com/advisory/ntap-20250328-0008/

Scores

CVSS v3 8.8

EPSS 0.4971

EPSS Percentile 97.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-20

Status published

Products (3)

k8s.io/ingress-nginx 0 - 1.11.5Go

kubernetes/ingress-nginx < 1.11.4

kubernetes/ingress-nginx 1.12.0

Published Mar 25, 2025

Tracked Since Feb 18, 2026