Plattform
kubernetes
Komponente
nginx-ingress-controller
Behoben in
5.3.1
5.2.1000
5.1.1000
5.0.1000
4.999.1000
3.999.1000
CVE-2025-14727 describes a vulnerability in the NGINX Ingress Controller related to the validation of the nginx.org/rewrite-target annotation. This flaw allows attackers to potentially manipulate request routing and gain unauthorized access. The vulnerability impacts versions 3.0.0 through 5.3.1 of the NGINX Ingress Controller. A fix is available in version 5.3.1.
Successful exploitation of CVE-2025-14727 could allow an attacker to manipulate the rewrite target within the NGINX Ingress Controller. This manipulation could lead to unauthorized access to backend services or resources that were not intended to be accessible. The attacker might be able to redirect traffic to malicious destinations or expose sensitive data. The blast radius depends on the configuration of the Ingress Controller and the underlying Kubernetes cluster; a compromised controller could impact multiple applications and services within the cluster. While no direct precedent exists for this specific annotation bypass, similar rewrite rule vulnerabilities in other web servers have historically been exploited to achieve remote code execution or data breaches.
CVE-2025-14727 was publicly disclosed on 2025-12-17. Its CVSS score of 8.3 (HIGH) indicates a significant risk. No public proof-of-concept (PoC) code has been released as of this writing, but the vulnerability's nature suggests that a PoC is likely to emerge. The vulnerability is not currently listed on the CISA KEV catalog. Active exploitation campaigns are not confirmed, but the potential impact warrants proactive monitoring and mitigation.
Organizations heavily reliant on NGINX Ingress Controller for managing external access to their Kubernetes clusters are at risk. This includes those deploying complex applications with multiple backend services and those who allow users to create or modify Ingress resources without proper validation.
• kubernetes / ingress:
kubectl get ingress --all-namespaces -o yaml | grep -i rewrite-target• kubernetes / audit: Review Kubernetes audit logs for suspicious modifications to Ingress resources, particularly those involving the nginx.org/rewrite-target annotation.
• generic web: Inspect NGINX access logs for unusual request patterns or redirects that might indicate exploitation.
disclosure
Exploit-Status
EPSS
0.19% (41% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-14727 is to upgrade the NGINX Ingress Controller to version 5.3.1 or later. If an immediate upgrade is not feasible, consider implementing stricter validation rules for the nginx.org/rewrite-target annotation at the Kubernetes level, if possible. Review and restrict access to the Ingress Controller's configuration API to prevent unauthorized modification of annotations. Monitor Ingress Controller logs for suspicious rewrite activity. After upgrading, confirm the fix by attempting to set an invalid nginx.org/rewrite-target annotation and verifying that the controller rejects the change.
Actualice NGINX Ingress Controller a la versión 5.3.1 o superior. Esto corrige la vulnerabilidad de validación en la anotación nginx.org/rewrite-target.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-14727 is a HIGH severity vulnerability affecting NGINX Ingress Controller versions 3.0.0–5.3.1. It allows attackers to manipulate request routing via malicious rewrite-target annotations.
If you are running NGINX Ingress Controller versions 3.0.0 through 5.3.1, you are potentially affected by this vulnerability. Check your version and upgrade accordingly.
Upgrade to version 5.3.1 or later to remediate the vulnerability. Implement stricter validation of Ingress resource manifests as an interim measure.
As of December 17, 2025, there are no confirmed reports of active exploitation, but the vulnerability is publicly known.
Refer to the official NGINX Ingress Controller documentation and security advisories for the latest information and updates regarding CVE-2025-14727.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.