x/vulndb: potential Go vuln in k8s.io/ingress-nginx: GHSA-vg63-w3p9-jc9m

[GoVulnBot]

Advisory GHSA-vg63-w3p9-jc9m references a vulnerability in the following Go modules:

Module
k8s.io/ingress-nginx

Description:
A security issue was discovered in ingress-nginx where the mirror-target and mirror-host Ingress annotations can be used to inject arbitrary configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

References:

• ADVISORY: GHSA-vg63-w3p9-jc9m
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-1098
• REPORT: CVE-2025-1098: ingress-nginx controller - configuration injection via unsanitized mirror annotations kubernetes/kubernetes#131008
• WEB: https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.11.5
• WEB: https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.12.1
• WEB: https://groups.google.com/g/kubernetes-security-announce/c/2qa9DFtN0cQ

Cross references:

• k8s.io/ingress-nginx appears in 7 other report(s):
  • data/excluded/GO-2022-0613.yaml (x/vulndb: potential Go vuln in k8s.io/ingress-nginx: GHSA-pvmg-xgmx-9mxh #613) NOT_IMPORTABLE
  • data/excluded/GO-2023-1789.yaml (x/vulndb: potential Go vuln in k8s.io/ingress-nginx: GHSA-863x-868h-968x #1789) NOT_IMPORTABLE
  • data/excluded/GO-2023-1916.yaml (x/vulndb: potential Go vuln in k8s.io/ingress-nginx: GHSA-hhpm-74pm-hf35 #1916) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1953.yaml (x/vulndb: potential Go vuln in k8s.io/ingress-nginx: GHSA-p3x5-5xpx-9phm #1953) NOT_IMPORTABLE
  • data/excluded/GO-2023-2174.yaml (x/vulndb: potential Go vuln in k8s.io/ingress-nginx: GHSA-5wj4-wffq-3378 #2174) NOT_IMPORTABLE
  • data/excluded/GO-2023-2175.yaml (x/vulndb: potential Go vuln in k8s.io/ingress-nginx: GHSA-gvrm-w2f9-f77q #2175) NOT_IMPORTABLE
  • data/reports/GO-2024-2428.yaml (x/vulndb: potential Go vuln in k8s.io/ingress-nginx: GHSA-fp9f-44c2-cw27 #2428)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: k8s.io/ingress-nginx
      non_go_versions:
        - fixed: 1.11.5
        - introduced: 1.12.0-beta.0
        - fixed: 1.12.1
      vulnerable_at: 0.0.0-20250325144035-1d7abc12ef72
summary: |-
    ingress-nginx controller - configuration injection via unsanitized mirror
    annotations in k8s.io/ingress-nginx
cves:
    - CVE-2025-1098
ghsas:
    - GHSA-vg63-w3p9-jc9m
references:
    - advisory: https://github.com/advisories/GHSA-vg63-w3p9-jc9m
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-1098
    - report: https://github.com/kubernetes/kubernetes/issues/131008
    - web: https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.11.5
    - web: https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.12.1
    - web: https://groups.google.com/g/kubernetes-security-announce/c/2qa9DFtN0cQ
source:
    id: GHSA-vg63-w3p9-jc9m
    created: 2025-03-25T16:01:37.051050511Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/660559 mentions this issue: data/reports: add 28 reports