Platform
kubernetes
Component
nginx-ingress-controller
Fixed in
5.3.1
5.2.1000
5.1.1000
5.0.1000
4.999.1000
3.999.1000
CVE-2025-14727 describes a vulnerability in the NGINX Ingress Controller related to the validation of the nginx.org/rewrite-target annotation. This flaw allows attackers to potentially manipulate request routing and gain unauthorized access. The vulnerability impacts versions 3.0.0 through 5.3.1 of the NGINX Ingress Controller. A fix is available in version 5.3.1.
Successful exploitation of CVE-2025-14727 could allow an attacker to craft malicious annotations within Kubernetes Ingress resources. These annotations, specifically the nginx.org/rewrite-target parameter, are used to define how requests are rewritten before being passed to the backend server. By manipulating this parameter, an attacker might be able to redirect traffic to unintended destinations, bypass security controls, or even execute arbitrary code on the backend server. The potential blast radius depends on the backend services exposed by the Ingress Controller, potentially impacting sensitive data and critical applications. This vulnerability highlights the importance of carefully validating all user-supplied input within Kubernetes manifests.
CVE-2025-14727 was publicly disclosed on December 17, 2025. The vulnerability's impact is considered HIGH due to the potential for unauthorized access and manipulation of request routing. Currently, there are no publicly available proof-of-concept exploits. It is not listed on the CISA KEV catalog at the time of this writing.
Exploit Status
EPSS
0.19% (41% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-14727 is to upgrade the NGINX Ingress Controller to version 5.3.1 or later. If immediate upgrading is not possible, consider implementing stricter validation of Ingress resource manifests to prevent the injection of malicious nginx.org/rewrite-target annotations. This could involve using Kubernetes admission controllers or custom validation scripts. Additionally, review existing Ingress resources for any suspicious annotations. After upgrading, confirm the fix by deploying a test Ingress resource with a deliberately malformed nginx.org/rewrite-target annotation and verifying that it is rejected by the controller.
Actualice NGINX Ingress Controller a la versión 5.3.1 o superior. Esto corrige la vulnerabilidad de validación en la anotación nginx.org/rewrite-target.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14727 is a HIGH severity vulnerability affecting NGINX Ingress Controller versions 3.0.0–5.3.1. It allows attackers to manipulate request routing via malicious rewrite-target annotations.
If you are running NGINX Ingress Controller versions 3.0.0 through 5.3.1, you are potentially affected by this vulnerability. Check your version and upgrade accordingly.
Upgrade to version 5.3.1 or later to remediate the vulnerability. Implement stricter validation of Ingress resource manifests as an interim measure.
As of December 17, 2025, there are no confirmed reports of active exploitation, but the vulnerability is publicly known.
Refer to the official NGINX Ingress Controller documentation and security advisories for the latest information and updates regarding CVE-2025-14727.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.