Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-1974 PoC — Kubernetes ingress-nginx 安全漏洞

Source
https://github.com/0xBingo/CVE-2025-1974
Associated Vulnerability
Title:Kubernetes ingress-nginx 安全漏洞 (CVE-2025-1974)
Description:Kubernetes ingress-nginx是云原生计算基金会(Cloud Native Computing Foundation)开源的Kubernetes 的入口控制器,使用NGINX作为反向代理和负载均衡器。 Kubernetes ingress-nginx存在安全漏洞,该漏洞源于在某些条件下,未认证的攻击者可通过访问pod网络在ingress-nginx控制器环境中执行任意代码,可能导致Secrets泄露。
Description
A minimal test tool to help detect annotation injection vulnerabilities in Kubernetes NGINX Ingress controllers. This script sends a crafted AdmissionReview request to simulate a potential exploit path from CVE-2025-1974 and checks for signs of misinterpreted annotations in controller logs.
Readme
# 🚨 Log Injection Test via Ingress-NGINX Admission Controller

## 🧠 Overview
This script tests for annotation injection vulnerabilities in Kubernetes clusters using the NGINX Ingress Controller. It is meant for **detection purposes only** in relation to [CVE-2025-1974](https://nvd.nist.gov/vuln/detail/CVE-2025-1974), which allows malicious annotations to influence NGINX configuration.

## 📚 Background
The vulnerability, disclosed by Wiz.io ([blog post](https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities)), involves injecting annotations that are improperly handled by the controller. For instance:

```yaml
nginx.ingress.kubernetes.io/auth-url: "http://placeholder/#; error_log /root/this_path_shouldnt_exist.log debug; #"
```

This can lead to unexpected NGINX configuration behavior and permission errors if processed. In more advanced scenarios, this type of injection could be chained with other misconfigurations to achieve **remote code execution (RCE)**.

## 🛠️ What This Script Does
1. Loads a crafted `AdmissionReview` payload from a YAML file.
2. Sends it to the admission controller's `/validate` endpoint.
3. Prompts the user to check ingress controller logs for results.

## 📁 Files
- `admission_review.yaml`: Contains the crafted AdmissionReview request.
- `main.py`: Sends the payload to the controller.

## 🚀 Usage
First, forward the admission controller port:

```bash
kubectl port-forward -n ingress-nginx svc/ingress-nginx-controller-admission 8443:443
```

Then run:

```bash
python main.py --url https://localhost:8443
```

## 🔍 Expected Result
Check ingress controller logs:

```bash
kubectl logs -n ingress-nginx -l app.kubernetes.io/component=controller
```

You may see:
```
nginx: [emerg] open() "/root/this_path_shouldnt_exist.log" failed (13: Permission denied)
```

This indicates the annotation was improperly executed as a directive.

## ⚠️ Warning
For **educational and authorized testing only**. Do not run on systems without permission.

## 🔗 References
- [Wiz Blog: Breaking Ingress NGINX](https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities)
- [NGINX Ingress Annotations](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/)
- [CVE-2025-1974](https://nvd.nist.gov/vuln/detail/CVE-2025-1974)

---
Use this tool to verify whether your cluster is vulnerable to annotation injection via NGINX Ingress. Exploitation of this vulnerability may be part of a broader attack chain leading to remote code execution.
File Snapshot

 [4.0K]  /data/pocs/d1bb4b8e135a42b14e973da1f6ed94ba108d46b4
├── [ 868]  admission_review.yaml
├── [1.3K]  main.py
└── [2.5K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.