CVE-2025-24513 MEDIUM

CVE-2025-24513: ingress-nginx controller - auth secret file path traversal vulnerability

Vendor Kubernetes

Product ingress-nginx

Weakness CWE-20 · Input validation

Published March 24, 2025

Last update November 3, 2025

View on NVD All CVEs

CVSS base score

4.8/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L

What the vulnerability does

Description

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where attacker-provided data are included in a filename by the ingress-nginx Admission Controller feature, resulting in directory traversal within the container. This could result in denial of service, or when combined with other vulnerabilities, limited disclosure of Secret objects from the cluster.

Key dates

Disclosure timeline

March 24, 2025 CVE published

November 3, 2025 Record updated

Identifiers

CVE CVE-2025-24513

CWE CWE-20

CVSS 4.8 / MEDIUM

Affected versions

Vendor Kubernetes

Product ingress-nginx

Affected ≤ 1.11.4

Vendor Kubernetes

Product ingress-nginx

Affected 1.12.0