< img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=3131724&fmt=gif" />
🚀 KubeSphere v4.1.3 with Enhancements and Bug Fixes is available now. Read the release notes → close
  • English
    • English
    • 简体中文
    1. 1.Create a KubeSphere Cloud account and log in to the platform.
    2. 2.In the upper-right corner, click Console, and then click Lite Cluster on the left.
    3. 3.Create a K8s cluster with KubeSphere installed.
    4. 4.Access KubeSphere with the default account and password (admin/P@88w0rd).
  •  Star
  1. Docs / 
  2. Documentation / 
  3. Security / 
  4. KubeSphere Gateway Security Advisory

Documentation

Last updated:
    Edit

    KubeSphere Gateway (Ingress-Nginx) Security Vulnerability Advisory

    Vulnerability Overview

    Affected Versions

    • KubeSphere & KubeSphere Enterprise v3.x versions

    • KubeSphere & KubeSphere Enterprise v4.1.x versions

    Severity Level: Critical

    Vulnerability Types: Privilege Escalation, Information Disclosure, Security Bypass, Directory Traversal

    Vulnerability List:

    CVE IDTypeCVSS ScoreDescriptionDetails

    CVE-2025-1097

    Configuration Injection

    8.8 (High)

    Malicious configuration injection via auth-tls-match-cn annotation leading to arbitrary code execution and information disclosure.

    More

    CVE-2025-24514

    Configuration Injection

    8.8 (High)

    Malicious configuration injection via auth-url annotation leading to arbitrary code execution and information disclosure.

    More

    CVE-2025-24513

    Directory Traversal

    4.8 (Medium)

    File path traversal in Admission Controller leading to denial of service and information disclosure.

    More

    CVE-2025-1974

    Remote Code Execution

    9.8 (Critical)

    Unauthenticated RCE vulnerability with access to the pod network leading to complete cluster compromise.

    More

    CVE-2025-1098

    Configuration Injection

    8.8 (High)

    Malicious configuration injection via mirror-target and mirror-host annotations leading to arbitrary code execution and information disclosure

    More

    Impact Analysis

    These vulnerabilities primarily affect systems through:

    1. Code Execution Risk: CVE-2025-1097, CVE-2025-24514, CVE-2025-1098 and CVE-2025-1974 may lead to arbitrary code execution in the context of the ingress-nginx controller.

    2. Information Disclosure: By default, ingress-nginx controller can access Secrets across all namespaces, potentially exposing sensitive credentials.

    3. Unauthorized Access: Particularly CVE-2025-1974 allows any attacker with access to the pod network can gain cluster control without authentication (CVSS 9.8 Critical).

    4. Mitigation Condition: For CVE-2025-24514, systems with the enable-annotation-validation argument enabled (enabled by default since ingress-nginx v1.12.0) are not vulnerable.

    Am I vulnerable?

    Take the following steps to check if your system is affected.

    1. Check if ingress-nginx have been installed.

      kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx

      If the command returns results, it indicates you are using ingress-nginx.

    2. Check the version of the installed ingress-nginx.

      kubectl exec -it -n ingress-nginx deploy/ingress-nginx-controller -- /nginx-ingress-controller --version

      Affected Versions:

      • < v1.11.0

      • v1.11.0 - v1.11.4

      • v1.12.0

      Important

      If using affected versions, immediately apply solutions or mitigations from this document.

    Solutions

    1. Upgrade Ingress-Nginx (Recommended by nginx community)

    Upgrade ingress-nginx to these secure versions:

    • v1.11.5

    • v1.12.1

    • or later

    2. Upgrade KubeSphere Gateway

    For KubeSphere and KubeSphere Enterprise v4.1.3, upgrade KubeSphere Gateway to v1.0.4 (ingress-nginx controller v1.12.1).

    For their older versions, upgrade them to v4.1.3 first.

    3. Temporary Mitigation Measures

    If immediate upgrade is not possible, the following temporary mitigation measures can be implemented.

    CVE-2025-1097 Mitigation

    Check and remove all auth-tls-match-cn annotations from Ingress resources.

    1. Check annotations:

      kubectl get ingress -A -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,AUTH_TLS_MATCH_CN:.metadata.annotations.nginx\.ingress\.kubernetes\.io/auth-tls-match-cn'

    2. Remove annotations:

      kubectl annotate ingress -n <namespace-name> <Ingress-name> nginx.ingress.kubernetes.io/auth-tls-match-cn-

    CVE-2025-24514 Mitigation

    • Check and remove all auth-url annotations from Ingress resources:

      1. Check annotations:

        kubectl get ingress -A -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,AUTH_URL:.metadata.annotations.nginx\.ingress\.kubernetes\.io/auth-url'

      2. Remove annotations:

        kubectl annotate ingress -n <namespace-name> <Ingress-name> nginx.ingress.kubernetes.io/auth-url-

    • Alternatively, enable the enable-annotation-validation parameter (enabled by default since v1.12.0, but needs manual configuration in earlier versions):

      1. Check if annotation validation is enabled:

        kubectl get deployment -n ingress-nginx ingress-nginx-controller -o yaml | grep enable-annotation-validation

      2. If not enabled, edit the deployment to add the parameter --enable-annotation-validation=true. The ingress-nginx controller will restart automatically after saving:

        kubectl edit deployment -n ingress-nginx ingress-nginx-controller

    CVE-2025-24513 and CVE-2025-1974 Mitigation

    KubeSphere gateway does not enable Admission Controller by default. Use the following methods to check if your gateway has Admission Controller enabled.

    1. Check all gateway releases:

      helm list -n A | grep kubesphere-router

    2. Check if Admission Controller is enabled in all releases:

      helm get values [RELEASE_NAME] -n [RELEASE_NAMESPACE]

      If controller.admissionWebhooks.enabled is true, contact KubeSphere Security Team immediately for resolution.

    3. If you installed ingress-nginx separately and controller.admissionWebhooks.enabled is true, use the following methods to check and disable Admission Controller:

      Note

      This is only a temporary mitigation measure. If you have upgraded to secure versions: v1.11.5 or v1.12.1, disabling Admission Controller is unnecessary.

      • If ingress-nginx is installed using Helm, reinstall it with admission webhook disabled:

        helm upgrade [RELEASE_NAME] ingress-nginx/ingress-nginx \
  --set controller.admissionWebhooks.enabled=false \
  -n ingress-nginx

      • If ingress-nginx is installed manually:

        • Method 1: Delete ValidatingWebhookConfiguration:

          kubectl delete validatingwebhookconfigurations ingress-nginx-admission

        • Method 2: Edit Deployment or DaemonSet and remove --validating-webhook related lines in spec.containers.args section:

          kubectl edit deployment -n ingress-nginx ingress-nginx-controller
                  - --validating-webhook=:8443
        - --validating-webhook-certificate=/usr/local/certificates/cert
        - --validating-webhook-key=/usr/local/certificates/key
      Important

      Upgrading to secure versions (v1.11.5, v1.12.1 or later) is the complete solution for all vulnerabilities. Disabling Admission Controller is only a temporary measure when immediate upgrade is not possible. After upgrading, keep Admission Controller enabled to ensure normal functionality.

    CVE-2025-1098 Mitigation Measures

    Check and remove all mirror-target and mirror-host annotations from Ingress resources.

    1. Check annotations:

      kubectl get ingress -A -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,MIRROR_TARGET:.metadata.annotations.nginx\.ingress\.kubernetes\.io/mirror-target,MIRROR_HOST:.metadata.annotations.nginx\.ingress\.kubernetes\.io/mirror-host'

    2. Remove annotations:

      kubectl annotate ingress -n <namespace-name> <Ingress-name> nginx.ingress.kubernetes.io/mirror-target-
kubectl annotate ingress -n <namespace-name> <Ingress-name> nginx.ingress.kubernetes.io/mirror-host-

    Detection Methods

    Use the following commands to check for potentially exploited configurations or suspicious activities:

    1. Check for potentially malicious auth-tls-match-cn annotations (CVE-2025-1097):

      kubectl get ingress -A -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,AUTH_TLS_MATCH_CN:.metadata.annotations.nginx\.ingress\.kubernetes\.io/auth-tls-match-cn'

      Inspect the results for suspicious content, paying special attention to annotation values containing special characters like #, }}, or newlines.

    2. Check for potentially malicious auth-url annotations (CVE-2025-24514):

      kubectl get ingress -A -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,AUTH_URL:.metadata.annotations.nginx\.ingress\.kubernetes\.io/auth-url'

      Inspect the results for suspicious content, paying special attention to URLs containing #, ; or newlines.

    3. Check if Admission Controller is enabled (related to CVE-2025-24513 and CVE-2025-1974):

      kubectl get validatingwebhookconfigurations -l app.kubernetes.io/name=ingress-nginx

      If results are returned, it indicates Admission Controller is enabled and may be vulnerable to attacks.

    4. Check for potentially malicious mirror-target or mirror-host annotations (CVE-2025-1098):

      kubectl get ingress -A -o custom-columns='NAMESPACE:.metadata.namespace,NAME:.metadata.name,MIRROR_TARGET:.metadata.annotations.nginx\.ingress\.kubernetes\.io/mirror-target,MIRROR_HOST:.metadata.annotations.nginx\.ingress\.kubernetes\.io/mirror-host'

      Inspect the results for suspicious content.

    5. Check pod logs for suspicious activities:

      kubectl logs -n ingress-nginx -l app.kubernetes.io/name=ingress-nginx --tail=1000 | grep -E "error|warn|critical|suspicious|unauthorized"

    If suspicious configurations or activities are found, immediately isolate affected resources and contact the KubeSphere Security Team for further analysis.

    Best Security Practices

    • Implement strict gateway access controls

    • Configure gateway routing isolation policies

    • Enable TLS

    • Restrict Ingress resource access permissions

    • Enable audit log monitoring

    • Implement RBAC following the principle of least privilege

    • Regularly inspect and upgrade the ingress-nginx controller

    • Ensure Admission Controller is not externally exposed

    • Implement network policies to restrict Pod-to-Pod communication

    Technical Support

    If evidence of vulnerability exploitation is found or technical support is needed, please contact:

    References

    Receive the latest news, articles and updates from KubeSphere


    Thanks for the feedback. If you have a specific question about how to use KubeSphere, ask it on Slack. Open an issue in the GitHub repo if you want to report a problem or suggest an improvement.

    Previous : Security Policy
    What’s on this Page