CVE-2025-24513: ingress-nginx controller - auth secret file path traversal vulnerability
A security issue was discovered in ingress-nginx where attacker-provided data are included in a filename by the ingress-nginx Admission Controller feature, resulting in directory traversal within the container. This could result in denial of service, or when combined with other vulnerabilities, limited disclosure of Secret objects from the cluster.
References
- github.com/advisories/GHSA-242m-6h72-7hgp
- github.com/kubernetes/ingress-nginx
- github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.11.5
- github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.12.1
- github.com/kubernetes/kubernetes/issues/131005
- groups.google.com/g/kubernetes-security-announce/c/2qa9DFtN0cQ
- nvd.nist.gov/vuln/detail/CVE-2025-24513
Code Behaviors & Features
Detect and mitigate CVE-2025-24513 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →