CVE-2021-25748 in ingress-nginx
Summary
by MITRE • 05/24/2023
A security issue was discovered in ingress-nginx where a user that can create or update ingress objects can use a newline character to bypass the sanitization of the `spec.rules[].http.paths[].path` field of an Ingress object (in the `networking.k8s.io` or `extensions` API group) to obtain the credentials of the ingress-nginx controller. In the default configuration, that credential has access to all secrets in the cluster.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/13/2025
This vulnerability exists within the ingress-nginx controller implementation where improper input sanitization allows authenticated users to bypass security controls through crafted newline characters in ingress path definitions. The flaw specifically targets the `spec.rules[].http.paths[].path` field within Ingress objects belonging to the networking.k8s.io or extensions API groups, creating a path traversal condition that enables credential extraction. The security issue stems from insufficient validation of user-supplied path values during ingress object creation or modification operations, allowing malicious actors to inject newline characters that circumvent the intended sanitization mechanisms. This represents a critical authorization bypass vulnerability that undermines the security boundaries typically enforced by the ingress controller.
The technical exploitation occurs when an attacker with permissions to create or modify Ingress resources introduces newline characters into the path field, which the sanitization logic fails to properly handle. This malformed input can potentially cause the ingress-nginx controller to misinterpret the path specification, leading to credential leakage from the controller process. The default configuration of ingress-nginx controllers typically operates with broad cluster access privileges, meaning that successful exploitation grants attackers access to all secrets within the Kubernetes cluster. This vulnerability aligns with CWE-20: Improper Input Validation and CWE-79: Cross-Site Scripting, as it involves improper handling of user-supplied data that can be manipulated to bypass security controls. The attack pattern corresponds to techniques described in MITRE ATT&CK matrix under T1078: Valid Accounts and T1566: Phishing, where unauthorized access is gained through manipulation of legitimate system interfaces.
The operational impact of this vulnerability is severe as it provides attackers with elevated privileges within the Kubernetes cluster environment. Once credentials are obtained through this bypass mechanism, attackers can access sensitive information including all secrets, configmaps, and potentially escalate their access to other cluster resources. The vulnerability affects the fundamental security model of ingress controllers, where the assumption of trusted input from authorized users is violated. Organizations running ingress-nginx controllers without proper network segmentation or additional access controls face significant risk, as this vulnerability can be exploited by any user with basic ingress object permissions. The default controller configuration with broad cluster access privileges amplifies the impact, making this vulnerability particularly dangerous in multi-tenant environments or when ingress controllers are deployed with elevated service account permissions.
Mitigation strategies should focus on immediate patching of ingress-nginx controllers to address the input sanitization flaw, combined with implementation of least privilege access controls for ingress object management. Organizations should enforce strict network policies to limit access to ingress controller endpoints and consider implementing additional input validation layers at the application level. Regular security auditing of ingress configurations and monitoring for unusual path patterns can help detect exploitation attempts. The use of admission controllers with custom validation policies can provide additional protection against malformed ingress objects. Implementing proper role-based access controls and ensuring that ingress controller service accounts operate with minimal required privileges significantly reduces the potential impact of successful exploitation. Organizations should also consider implementing network segmentation and zero-trust security models to limit lateral movement even if credential theft occurs. Regular vulnerability assessments and penetration testing of ingress configurations help identify similar issues in other components of the Kubernetes infrastructure stack.