CVE-2025-15566

Published Feb 6, 2026

Last updated 2 days ago

Kubernetes

ingress-nginx

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-15566 is a vulnerability found in the Kubernetes ingress-nginx controller. It stems from improper input validation (CWE-20) concerning the `nginx.ingress.kubernetes.io/auth-proxy-set-headers` Ingress annotation. This annotation, intended for setting authentication proxying headers, can be manipulated due to insufficient validation. Exploiting this flaw allows an attacker to inject arbitrary configuration directives into the nginx configuration managed by the ingress controller. Given that the ingress-nginx controller typically operates with elevated privileges and often has cluster-wide access to Kubernetes Secrets, successful exploitation could lead to arbitrary code execution within the controller's context and the unauthorized disclosure of sensitive Secrets.

Description: A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-proxy-set-headers` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
Source: jordan@liggitt.net
NVD status: Awaiting Analysis

Risk scores

CVSS 3.1

Type: Secondary
Base score: 8.8
Impact score: 5.9
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH

Weaknesses

jordan@liggitt.net: CWE-20

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score: 11

References