Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-1974 PoC — Kubernetes ingress-nginx 安全漏洞

Source
https://github.com/dttuss/IngressNightmare-RCE-POC
Associated Vulnerability
Title:Kubernetes ingress-nginx 安全漏洞 (CVE-2025-1974)
Description:Kubernetes ingress-nginx是云原生计算基金会(Cloud Native Computing Foundation)开源的Kubernetes 的入口控制器,使用NGINX作为反向代理和负载均衡器。 Kubernetes ingress-nginx存在安全漏洞,该漏洞源于在某些条件下,未认证的攻击者可通过访问pod网络在ingress-nginx控制器环境中执行任意代码,可能导致Secrets泄露。
Description
PoC for CVE-2025-1974: Critical RCE in Ingress-NGINX (<v1.12.1) via unsafe config injection. Exploitable from the pod network without credentials, enabling code execution and potential cluster takeover. Fixed in v1.12.1 and v1.11.5. For research/education only.
Readme
⚠️ Critical RCE in Ingress-NGINX via Configuration Injection (**CVE-2025-1974** and more)<br><br>This repository contains a proof-of-concept (PoC) exploit for **CVE-2025-1974**, a Critical (**CVSS 9.8**) vulnerability in the Ingress-NGINX controller for Kubernetes. This flaw allows unauthenticated remote code execution via unsafe configuration injection when using the Validating Admission Controller. It is the most serious of a set of five vulnerabilities disclosed and patched on March 26, 2025.<br><br>📌 Impact:<br>• Affected Versions: Ingress-NGINX controller prior to v1.12.1 / v1.11.5<br>• Attack Surface:<br> • Exploitable by any workload on the Pod network — no credentials or admin privileges required<br> • Attackers can inject arbitrary NGINX directives (e.g., content_by_lua_block) via annotations like configuration-snippet<br> • When combined with misconfigurations, attackers can exfiltrate Secrets or achieve full cluster compromise<br>• Scope:<br> • Ingress-NGINX often has access to all cluster Secrets by default<br> • Pods in a typical cloud VPC or corporate network can reach the admission controller endpoint<br> • Affected clusters include those running Ingress-NGINX with admission control enabled (default in many setups)<br><br>🛡️ Mitigation:<br>• Upgrade to Ingress-NGINX v1.12.1 or v1.11.5<br>• Disable risky annotations (configuration-snippet, server-snippet, etc.)<br>• Lock down network access to the Validating Admission Webhook<br>• Apply strict RBAC to prevent unauthorized Ingress creation<br><br>🧪 This PoC demonstrates how attackers can leverage the vulnerability to run arbitrary code inside the ingress controller pod — which often has access to internal services and secrets — escalating to full cluster takeover in vulnerable configurations.<br><br>🚨 Disclaimer: This PoC is for educational and research purposes only. Do not use it without explicit permission.
File Snapshot

 [4.0K]  /data/pocs/d10c742dae934f099d82c599245ad27ea4a5a748
├── [2.6K]  IngressNightmare.py
└── [1.9K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.