CVE-2025-1974 ingress-nginx critical vulnerability not detected in a vulnerable container #8709

tjanowski · 2025-04-08T15:17:55Z

tjanowski
Apr 8, 2025

IDs

CVE-2025-1974

Description

According to GHSA-mgvx-rpfc-9mpv and kubernetes/kubernetes#131009 ingress-nginx controller v.1.12.0 contains a critical vulnerability CVE-2025-1974.
This is also present in the aqua vulnerability database https://avd.aquasec.com/nvd/2025/cve-2025-1974/

However the vulnerability is not found when the container is scanned with trivy.

Reproduction Steps

1. Run

docker run aquasec/trivy image registry.k8s.io/ingress-nginx/controller:v1.12.0

CVE-2025-1974 is not present in the output



### Target

Container Image

### Scanner

Vulnerability

### Target OS

_No response_

### Debug Output

```bash
2025-04-08T15:00:23Z    DEBUG   No plugins loaded
2025-04-08T15:00:23Z    DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-04-08T15:00:23Z    DEBUG   Cache dir       dir="/root/.cache/trivy"
2025-04-08T15:00:23Z    DEBUG   Cache dir       dir="/root/.cache/trivy"
2025-04-08T15:00:23Z    DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-04-08T15:00:23Z    DEBUG   Ignore statuses statuses=[]
2025-04-08T15:00:23Z    DEBUG   [vulndb] There is no db file
2025-04-08T15:00:23Z    DEBUG   [vulndb] There is no valid metadata file        err="file open error: open /root/.cache/trivy/db/metadata.json: no such file or directory"
2025-04-08T15:00:23Z    INFO    [vulndb] Need to update DB
2025-04-08T15:00:23Z    DEBUG   [vulndb] No metadata file
2025-04-08T15:00:23Z    INFO    [vulndb] Downloading vulnerability DB...
2025-04-08T15:00:23Z    INFO    [vulndb] Downloading artifact...        repo="mirror.gcr.io/aquasec/trivy-db:2"
2025-04-08T15:01:08Z    DEBUG   Updating database metadata...
2025-04-08T15:01:08Z    DEBUG   DB info schema=2 updated_at=2025-04-08T12:18:56.989857786Z next_update=2025-04-09T12:18:56.989857585Z downloaded_at=2025-04-08T15:01:08.43499204Z
2025-04-08T15:01:08Z    DEBUG   [pkg] Package types     types=[os library]
2025-04-08T15:01:08Z    DEBUG   [pkg] Package relationships     relationships=[unknown root workspace direct indirect]
2025-04-08T15:01:08Z    INFO    [vuln] Vulnerability scanning is enabled
2025-04-08T15:01:08Z    INFO    [secret] Secret scanning is enabled
2025-04-08T15:01:08Z    INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-04-08T15:01:08Z    INFO    [secret] Please see also https://trivy.dev/v0.60/docs/scanner/secret#recommendation for faster secret detection
2025-04-08T15:01:08Z    DEBUG   Initializing scan cache...      type="fs"
2025-04-08T15:01:09Z    DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2025-04-08T15:01:09Z    DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2025-04-08T15:01:09Z    DEBUG   [image] Detected image ID       image_id="sha256:a4a8af0db08902e65347157c5efef6d1f9e261f03c8aa14b1b40bc182b947fe7"
2025-04-08T15:01:09Z    DEBUG   [image] Detected diff ID        diff_ids=[sha256:3e01818d79cd3467f1d60e54224f3f6ce5170eceb54e265d96bb82344b8c24e7 sha256:2682218f04d1b64170aa77223ca25927e3d6931d89e121ffe4a3d734efd61cef sha256:69a0f44fead2721366699e2a4409e9611b3af401909037
e2758d3cc73238107a sha256:43972bb1bb31b329959c2a149a155ad78c66dcc7d6a77003e0a5a7532d42ce1d sha256:d7a8409ceb76c7f1e35bb252b1b86f487edb8b25a7937926af177a3b316367e5 sha256:96b9ae457f59557b462da6be6c9977b2d2db99437dcd13ee372f679b6d33241b sha256:5f70bf18a086007016e948b04aed3
b82103a36bea41755b6cddfaf10ace3c6ef sha256:be69a5ad470e8e67ea93f13aa825e40cf1e1d2104609e2e7c2a6c8a306e0e8df sha256:165f2a3e4312848b623a3aaec5678a38d698ceab5d717714b7d64d8e1f4fcd77 sha256:6d134d3d7e8aa630874f7c4e9db3db48d1895c60f3e5ce73272412404a9b723b sha256:d37a3e42d123
ca619ceab4bbe3c1e9a96d0a837e5e0e3052b33dbd0e842c5661 sha256:2874b9cc5af111c3a09857a37589ca899ee15c30690be9bff7ad7c634ea96c41 sha256:c41a4417ce6560b28e5d3f0450fcbdd75a40b671a4a6114e82ea50cdb7f911ed sha256:0b575ed2eb69c925e7f4fd53fef731203a7e91959211d9fad9fbed8094448fd2 sh
a256:6e436531de71f1ce67445886252520916b302d8dd3beda5f881ecd1696c48c6e]
2025-04-08T15:01:09Z    DEBUG   [image] Detected base layers    diff_ids=[sha256:3e01818d79cd3467f1d60e54224f3f6ce5170eceb54e265d96bb82344b8c24e7 sha256:2682218f04d1b64170aa77223ca25927e3d6931d89e121ffe4a3d734efd61cef sha256:69a0f44fead2721366699e2a4409e9611b3af401909037
e2758d3cc73238107a sha256:43972bb1bb31b329959c2a149a155ad78c66dcc7d6a77003e0a5a7532d42ce1d sha256:d7a8409ceb76c7f1e35bb252b1b86f487edb8b25a7937926af177a3b316367e5 sha256:96b9ae457f59557b462da6be6c9977b2d2db99437dcd13ee372f679b6d33241b]
2025-04-08T15:01:09Z    DEBUG   [image] Missing image ID in cache       image_id="sha256:a4a8af0db08902e65347157c5efef6d1f9e261f03c8aa14b1b40bc182b947fe7"
2025-04-08T15:01:09Z    DEBUG   [image] Missing diff ID in cache        diff_id="sha256:69a0f44fead2721366699e2a4409e9611b3af401909037e2758d3cc73238107a"
2025-04-08T15:01:09Z    DEBUG   [image] Missing diff ID in cache        diff_id="sha256:43972bb1bb31b329959c2a149a155ad78c66dcc7d6a77003e0a5a7532d42ce1d"
2025-04-08T15:01:09Z    DEBUG   [image] Missing diff ID in cache        diff_id="sha256:3e01818d79cd3467f1d60e54224f3f6ce5170eceb54e265d96bb82344b8c24e7"
2025-04-08T15:01:09Z    DEBUG   [image] Missing diff ID in cache        diff_id="sha256:d7a8409ceb76c7f1e35bb252b1b86f487edb8b25a7937926af177a3b316367e5"
2025-04-08T15:01:09Z    DEBUG   [image] Missing diff ID in cache        diff_id="sha256:2682218f04d1b64170aa77223ca25927e3d6931d89e121ffe4a3d734efd61cef"
2025-04-08T15:01:09Z    DEBUG   [image] Missing diff ID in cache        diff_id="sha256:96b9ae457f59557b462da6be6c9977b2d2db99437dcd13ee372f679b6d33241b"
2025-04-08T15:01:11Z    DEBUG   [image] Missing diff ID in cache        diff_id="sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef"
2025-04-08T15:01:12Z    DEBUG   [image] Missing diff ID in cache        diff_id="sha256:be69a5ad470e8e67ea93f13aa825e40cf1e1d2104609e2e7c2a6c8a306e0e8df"
2025-04-08T15:01:14Z    DEBUG   [image] Missing diff ID in cache        diff_id="sha256:165f2a3e4312848b623a3aaec5678a38d698ceab5d717714b7d64d8e1f4fcd77"
2025-04-08T15:01:14Z    DEBUG   [image] Missing diff ID in cache        diff_id="sha256:6d134d3d7e8aa630874f7c4e9db3db48d1895c60f3e5ce73272412404a9b723b"
2025-04-08T15:01:14Z    DEBUG   [image] Missing diff ID in cache        diff_id="sha256:d37a3e42d123ca619ceab4bbe3c1e9a96d0a837e5e0e3052b33dbd0e842c5661"
2025-04-08T15:01:17Z    DEBUG   [image] Missing diff ID in cache        diff_id="sha256:2874b9cc5af111c3a09857a37589ca899ee15c30690be9bff7ad7c634ea96c41"
2025-04-08T15:01:19Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used        dependency="k8s.io/ingress-nginx"
2025-04-08T15:01:19Z    DEBUG   [gobinary] Parsing dependency's build info settings     dependency="k8s.io/ingress-nginx" -ldflags=[]
2025-04-08T15:01:19Z    DEBUG   [gobinary] Unable to detect dependency version. `-ldflags` build info settings don't contain version flag. Empty version used.  dependency="k8s.io/ingress-nginx"
2025-04-08T15:01:19Z    DEBUG   [image] Missing diff ID in cache        diff_id="sha256:c41a4417ce6560b28e5d3f0450fcbdd75a40b671a4a6114e82ea50cdb7f911ed"
2025-04-08T15:01:20Z    DEBUG   [image] Missing diff ID in cache        diff_id="sha256:0b575ed2eb69c925e7f4fd53fef731203a7e91959211d9fad9fbed8094448fd2"
2025-04-08T15:01:20Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used        dependency="k8s.io/ingress-nginx"
2025-04-08T15:01:20Z    DEBUG   [gobinary] Parsing dependency's build info settings     dependency="k8s.io/ingress-nginx" -ldflags=[]
2025-04-08T15:01:20Z    DEBUG   [gobinary] Unable to detect dependency version. `-ldflags` build info settings don't contain version flag. Empty version used.  dependency="k8s.io/ingress-nginx"
2025-04-08T15:01:20Z    DEBUG   [image] Missing diff ID in cache        diff_id="sha256:6e436531de71f1ce67445886252520916b302d8dd3beda5f881ecd1696c48c6e"
2025-04-08T15:01:37Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used        dependency="k8s.io/ingress-nginx"
2025-04-08T15:01:37Z    DEBUG   [gobinary] Parsing dependency's build info settings     dependency="k8s.io/ingress-nginx" -ldflags=[]
2025-04-08T15:01:37Z    DEBUG   [gobinary] Unable to detect dependency version. `-ldflags` build info settings don't contain version flag. Empty version used.  dependency="k8s.io/ingress-nginx"
2025-04-08T15:01:43Z    DEBUG   [gobinary] Unable to detect main module's dependency version - `(devel)` is used        dependency="k8s.io/ingress-nginx"
2025-04-08T15:01:43Z    DEBUG   [gobinary] Parsing dependency's build info settings     dependency="k8s.io/ingress-nginx" -ldflags=[]
2025-04-08T15:01:43Z    DEBUG   [gobinary] Unable to detect dependency version. `-ldflags` build info settings don't contain version flag. Empty version used.  dependency="k8s.io/ingress-nginx"
2025-04-08T15:01:54Z    DEBUG   No secrets found in container image config
2025-04-08T15:01:54Z    INFO    Detected OS     family="alpine" version="3.21.0"
2025-04-08T15:01:54Z    INFO    [alpine] Detecting vulnerabilities...   os_version="3.21" repository="3.21" pkg_num=120
2025-04-08T15:01:54Z    INFO    Number of language-specific files       num=3
2025-04-08T15:01:54Z    INFO    [gobinary] Detecting vulnerabilities...
2025-04-08T15:01:54Z    DEBUG   [gobinary] Scanning packages for vulnerabilities        file_path="dbg"
2025-04-08T15:01:54Z    DEBUG   [gobinary] Skipping vulnerability scan as no version is detected for the package        name="k8s.io/ingress-nginx"
2025-04-08T15:01:54Z    DEBUG   [gobinary] Scanning packages for vulnerabilities        file_path="nginx-ingress-controller"
2025-04-08T15:01:54Z    DEBUG   [gobinary] Skipping vulnerability scan as no version is detected for the package        name="k8s.io/ingress-nginx"
2025-04-08T15:01:54Z    DEBUG   [gobinary] Scanning packages for vulnerabilities        file_path="wait-shutdown"
2025-04-08T15:01:54Z    DEBUG   [gobinary] Skipping vulnerability scan as no version is detected for the package        name="k8s.io/ingress-nginx"
2025-04-08T15:01:54Z    WARN    Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/v0.60/docs/scanner/vulnerability#severity-selection for details.
2025-04-08T15:01:54Z    DEBUG   Specified ignore file does not exist    file=".trivyignore"
2025-04-08T15:01:54Z    DEBUG   [vex] VEX filtering is disabled

Report Summary

┌──────────────────────────────────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│                              Target                              │   Type   │ Vulnerabilities │ Secrets │
├──────────────────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ registry.k8s.io/ingress-nginx/controller:v1.12.0 (alpine 3.21.0) │  alpine  │       18        │    -    │
├──────────────────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ dbg                                                              │ gobinary │        3        │    -    │
├──────────────────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ nginx-ingress-controller                                         │ gobinary │        4        │    -    │
├──────────────────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ wait-shutdown                                                    │ gobinary │        3        │    -    │
└──────────────────────────────────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


registry.k8s.io/ingress-nginx/controller:v1.12.0 (alpine 3.21.0)
================================================================
Total: 18 (UNKNOWN: 2, LOW: 4, MEDIUM: 5, HIGH: 7, CRITICAL: 0)

┌────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ curl       │ CVE-2025-0725  │ MEDIUM   │ fixed  │ 8.11.1-r0         │ 8.12.0-r0     │ libcurl: Buffer Overflow in libcurl via zlib Integer         │
│            │                │          │        │                   │               │ Overflow                                                     │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-0725                    │
│            ├────────────────┼──────────┤        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2025-0167  │ LOW      │        │                   │               │ When asked to use a `.netrc` file for credentials **and** to │
│            │                │          │        │                   │               │ follow...                                                    │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-0167                    │
│            ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2025-0665  │          │        │                   │               │ libcurl would wrongly close the same eventfd file descriptor │
│            │                │          │        │                   │               │ twice whe ......                                             │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-0665                    │
├────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2024-12797 │ HIGH     │        │ 3.3.2-r4          │ 3.3.3-r0      │ openssl: RFC7250 handshakes with unauthenticated servers     │
│            │                │          │        │                   │               │ don't abort as expected                                      │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-12797                   │
│            ├────────────────┼──────────┤        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│            │ CVE-2024-13176 │ MEDIUM   │        │                   │ 3.3.2-r5      │ openssl: Timing side-channel in ECDSA signature computation  │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-13176                   │
├────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libcurl    │ CVE-2025-0725  │          │        │ 8.11.1-r0         │ 8.12.0-r0     │ libcurl: Buffer Overflow in libcurl via zlib Integer         │
│            │                │          │        │                   │               │ Overflow                                                     │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-0725                    │
│            ├────────────────┼──────────┤        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2025-0167  │ LOW      │        │                   │               │ When asked to use a `.netrc` file for credentials **and** to │
│            │                │          │        │                   │               │ follow...                                                    │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-0167                    │
│            ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2025-0665  │          │        │                   │               │ libcurl would wrongly close the same eventfd file descriptor │
│            │                │          │        │                   │               │ twice whe ......                                             │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-0665                    │
├────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libssl3    │ CVE-2024-12797 │ HIGH     │        │ 3.3.2-r4          │ 3.3.3-r0      │ openssl: RFC7250 handshakes with unauthenticated servers     │
│            │                │          │        │                   │               │ don't abort as expected                                      │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-12797                   │
│            ├────────────────┼──────────┤        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│            │ CVE-2024-13176 │ MEDIUM   │        │                   │ 3.3.2-r5      │ openssl: Timing side-channel in ECDSA signature computation  │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-13176                   │
├────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libxml2    │ CVE-2024-56171 │ HIGH     │        │ 2.13.4-r3         │ 2.13.4-r4     │ libxml2: Use-After-Free in libxml2                           │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-56171                   │
│            ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│            │ CVE-2025-24928 │          │        │                   │               │ libxml2: Stack-based buffer overflow in xmlSnprintfElements  │
│            │                │          │        │                   │               │ of libxml2                                                   │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-24928                   │
│            ├────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│            │ CVE-2025-27113 │          │        │                   │ 2.13.4-r5     │ libxml2: NULL Pointer Dereference in libxml2 xmlPatMatch     │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-27113                   │
├────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ musl       │ CVE-2025-26519 │ UNKNOWN  │        │ 1.2.5-r8          │ 1.2.5-r9      │ musl libc 0.9.13 through 1.2.5 before 1.2.6 has an           │
│            │                │          │        │                   │               │ out-of-bounds write ......                                   │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-26519                   │
├────────────┤                │          │        │                   │               │                                                              │
│ musl-utils │                │          │        │                   │               │                                                              │
│            │                │          │        │                   │               │                                                              │
│            │                │          │        │                   │               │                                                              │
├────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ openssl    │ CVE-2024-12797 │ HIGH     │        │ 3.3.2-r4          │ 3.3.3-r0      │ openssl: RFC7250 handshakes with unauthenticated servers     │
│            │                │          │        │                   │               │ don't abort as expected                                      │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-12797                   │
│            ├────────────────┼──────────┤        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│            │ CVE-2024-13176 │ MEDIUM   │        │                   │ 3.3.2-r5      │ openssl: Timing side-channel in ECDSA signature computation  │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-13176                   │
├────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ xz-libs    │ CVE-2025-31115 │ HIGH     │        │ 5.6.3-r0          │ 5.6.3-r1      │ xz: XZ has a heap-use-after-free bug in threaded .xz decoder │
│            │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-31115                   │
└────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

dbg (gobinary)
==============
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 0, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │        Fixed Version         │                            Title                             │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-45336 │ MEDIUM   │ fixed  │ v1.23.4           │ 1.22.11, 1.23.5, 1.24.0-rc.2 │ golang: net/http: net/http: sensitive headers incorrectly    │
│         │                │          │        │                   │                              │ sent after cross-domain redirect                             │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2024-45336                   │
│         ├────────────────┤          │        │                   │                              ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-45341 │          │        │                   │                              │ golang: crypto/x509: crypto/x509: usage of IPv6 zone IDs can │
│         │                │          │        │                   │                              │ bypass URI name...                                           │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2024-45341                   │
│         ├────────────────┤          │        │                   ├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-22866 │          │        │                   │ 1.22.12, 1.23.6, 1.24.0-rc.3 │ crypto/internal/nistec: golang: Timing sidechannel for P-256 │
│         │                │          │        │                   │                              │ on ppc64le in crypto/internal/nistec                         │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-22866                   │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────┴──────────────────────────────────────────────────────────────┘

nginx-ingress-controller (gobinary)
===================================
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 0, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │        Fixed Version         │                            Title                             │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2025-22870 │ MEDIUM   │ fixed  │ v0.33.0           │ 0.36.0                       │ golang.org/x/net/proxy: golang.org/x/net/http/httpproxy:     │
│                  │                │          │        │                   │                              │ HTTP Proxy bypass using IPv6 Zone IDs in golang.org/x/net    │
│                  │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-22870                   │
├──────────────────┼────────────────┤          │        ├───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib           │ CVE-2024-45336 │          │        │ v1.23.4           │ 1.22.11, 1.23.5, 1.24.0-rc.2 │ golang: net/http: net/http: sensitive headers incorrectly    │
│                  │                │          │        │                   │                              │ sent after cross-domain redirect                             │
│                  │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2024-45336                   │
│                  ├────────────────┤          │        │                   │                              ├──────────────────────────────────────────────────────────────┤
│                  │ CVE-2024-45341 │          │        │                   │                              │ golang: crypto/x509: crypto/x509: usage of IPv6 zone IDs can │
│                  │                │          │        │                   │                              │ bypass URI name...                                           │
│                  │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2024-45341                   │
│                  ├────────────────┤          │        │                   ├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                  │ CVE-2025-22866 │          │        │                   │ 1.22.12, 1.23.6, 1.24.0-rc.3 │ crypto/internal/nistec: golang: Timing sidechannel for P-256 │
│                  │                │          │        │                   │                              │ on ppc64le in crypto/internal/nistec                         │
│                  │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-22866                   │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────┴──────────────────────────────────────────────────────────────┘

wait-shutdown (gobinary)
========================
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 0, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │        Fixed Version         │                            Title                             │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-45336 │ MEDIUM   │ fixed  │ v1.23.4           │ 1.22.11, 1.23.5, 1.24.0-rc.2 │ golang: net/http: net/http: sensitive headers incorrectly    │
│         │                │          │        │                   │                              │ sent after cross-domain redirect                             │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2024-45336                   │
│         ├────────────────┤          │        │                   │                              ├──────────────────────────────────────────────────────────────┤
│         │ CVE-2024-45341 │          │        │                   │                              │ golang: crypto/x509: crypto/x509: usage of IPv6 zone IDs can │
│         │                │          │        │                   │                              │ bypass URI name...                                           │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2024-45341                   │
│         ├────────────────┤          │        │                   ├──────────────────────────────┼──────────────────────────────────────────────────────────────┤
│         │ CVE-2025-22866 │          │        │                   │ 1.22.12, 1.23.6, 1.24.0-rc.3 │ crypto/internal/nistec: golang: Timing sidechannel for P-256 │
│         │                │          │        │                   │                              │ on ppc64le in crypto/internal/nistec                         │
│         │                │          │        │                   │                              │ https://avd.aquasec.com/nvd/cve-2025-22866                   │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────┴──────────────────────────────────────────────────────────────┘

Version

Version: 0.60.0

Checklist

Read the documentation regarding wrong detection
Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

itaysk · 2025-04-08T18:45:23Z

itaysk
Apr 8, 2025
Maintainer

the nginx-ingress-controller binary is missing version information:

go version -m ./nginx-ingress-controller 
./nginx-ingress-controller: go1.22.4
	path	k8s.io/ingress-nginx/cmd/nginx
	mod	k8s.io/ingress-nginx	(devel)

this might be resolved if/when k8s team use go1.24 to build their binaries which "sets the main module’s version in the compiled binary based on the version control system tag and/or commit".
Trivy can also detect this vulnerability by directly scanning your cluster, and not relying on container image scanning at all, as demonstrated in the blog post: https://www.aquasec.com/blog/ingress-nginx-vulnerabilities-what-you-need-to-know/#section-6

5 replies

tjanowski Apr 9, 2025
Author

Thank you, that's very helpful. We were quite concerned about having missed a critical vulnerability, but it seems like k8s cluster scanning is the way to go.

Percivalll Apr 17, 2025

the nginx-ingress-controller binary is missing version information:
go version -m ./nginx-ingress-controller 
./nginx-ingress-controller: go1.22.4
	path	k8s.io/ingress-nginx/cmd/nginx
	mod	k8s.io/ingress-nginx	(devel)	
this might be resolved if/when k8s team use go1.24 to build their binaries which "sets the main module’s version in the compiled binary based on the version control system tag and/or commit". Trivy can also detect this vulnerability by directly scanning your cluster, and not relying on container image scanning at all, as demonstrated in the blog post: https://www.aquasec.com/blog/ingress-nginx-vulnerabilities-what-you-need-to-know/#section-6

But I found that grype $ grype registry.k8s.io/ingress- ✔ Parsed image ✔ Cataloged contents ├── ✔ Packages ├── ✔ File digests ├── ✔ File metadata └── ✔ Executables ✔ Scanned for vulnerabilities ├── by severity: └── by status: NAME INSTALLED FIXED-IN c-ares 1.34.3-r0 1.34.5-r0 curl 8.11.1-r0 8.12.0-r0 curl 8.11.1-r0 8.12.0-r0 curl 8.11.1-r0 8.12.0-r0 golang.org/x/net v0.33.0 0.36.0 golang.org/x/net v0.33.0 0.38.0 grpc 1.62.1-r2 grpc-cpp 1.62.1-r2 k8s.io/ingress-nginx v1.12.0 k8s.io/ingress-nginx v1.12.0 1.12.1 k8s.io/ingress-nginx v1.12.0 1.12.1 k8s.io/ingress-nginx v1.12.0 1.12.1 k8s.io/ingress-nginx v1.12.0 1.12.1 libaddress_sorting 1.62.1-r2 libcrypto3 3.3.2-r4 3.3.3-r0 libcrypto3 3.3.2-r4 3.3.2-r5 libcurl 8.11.1-r0 8.12.0-r0 libcurl 8.11.1-r0 8.12.0-r0 libcurl 8.11.1-r0 8.12.0-r0 libgpr 1.62.1-r2 libgrpc 1.62.1-r2 libgrpc_unsecure 1.62.1-r2 libssl3 3.3.2-r4 3.3.3-r0 libssl3 3.3.2-r4 3.3.2-r5 libupb_base_lib 1.62.1-r2 libupb_json_lib 1.62.1-r2 libupb_mem_lib 1.62.1-r2 libupb_message_lib 1.62.1-r2 libupb_textformat_lib 1.62.1-r2 libxml2 2.13.4-r3 2.13.4-r4 libxml2 2.13.4-r3 2.13.4-r4 libxml2 2.13.4-r3 2.13.4-r5 musl 1.2.5-r8 1.2.5-r9 musl-utils 1.2.5-r8 1.2.5-r9 nginx 1.25.5 1.26.1 nginx 1.25.5 1.26.1 nginx 1.25.5 1.26.1 nginx 1.25.5 1.26.1 nginx 1.25.5 nginx 1.25.5 openssl 3.3.2-r4 3.3.3-r0 openssl 3.3.2-r4 3.3.2-r5 stdlib go1.23.4 stdlib go1.23.4 stdlib go1.23.4 stdlib go1.23.4 xz-libs 5.6.3-r0 5.6.3-r1 detectes this vulnerability:
nginx/controller:v1.12.0
sha256:a4a8af0db08902e65347157c5efef6d1f9e261f03c8aa14b1b40bc182b947fe7
5c06930ada97e5df24a3ec60c55723acf78d3177086922ba6352b4f863a39649
[217 packages]
[783 files]
[783 locations]
[214 executables]
[55 vulnerability matches]
3 critical, 12 high, 35 medium, 2 low, 0 negligible (3 unknown)
44 fixed, 11 not-fixed, 0 ignored
TYPE VULNERABILITY SEVERITY
apk CVE-2025-31498 High
apk CVE-2025-0665 Critical
apk CVE-2025-0725 High
apk CVE-2025-0167 Low
go-module GHSA-qxp5-gwg8-xv66 Medium
go-module GHSA-vvgc-356p-c3xw Medium
apk CVE-2024-7246 Medium
apk CVE-2024-7246 Medium
1.12.1 go-module GHSA-mgvx-rpfc-9mpv Critical
go-module GHSA-823x-fv5p-h7hw High
go-module GHSA-fwwp-xcxw-39vq High
go-module GHSA-vg63-w3p9-jc9m High
go-module GHSA-242m-6h72-7hgp Medium
apk CVE-2024-7246 Medium
apk CVE-2024-12797 Medium
apk CVE-2024-13176 Medium
apk CVE-2025-0665 Critical
apk CVE-2025-0725 High
apk CVE-2025-0167 Low
apk CVE-2024-7246 Medium
apk CVE-2024-7246 Medium
apk CVE-2024-7246 Medium
apk CVE-2024-12797 Medium
apk CVE-2024-13176 Medium
apk CVE-2024-7246 Medium
apk CVE-2024-7246 Medium
apk CVE-2024-7246 Medium
apk CVE-2024-7246 Medium
apk CVE-2024-7246 Medium
apk CVE-2024-56171 High
apk CVE-2025-24928 High
apk CVE-2025-27113 High
apk CVE-2025-26519 High
apk CVE-2025-26519 High
binary CVE-2024-31079 Medium
binary CVE-2024-32760 Medium
binary CVE-2024-34161 Medium
binary CVE-2024-35200 Medium
1.26.2, 1.27.1 binary CVE-2024-7347 Medium
1.26.3, 1.27.4 binary CVE-2025-23419 Medium
apk CVE-2024-12797 Medium
apk CVE-2024-13176 Medium
1.22.11, 1.23.5, 1.24.0-rc.2 go-module CVE-2024-45336 Medium
1.22.11, 1.23.5, 1.24.0-rc.2 go-module CVE-2024-45341 Medium
1.22.12, 1.23.6, 1.24.0-rc.3 go-module CVE-2025-22866 Medium
1.23.8, 1.24.2 go-module CVE-2025-22871 Unknown
apk CVE-2025-31115 High

Is there potential for Trivy to improve further in detecting similar vulnerabilities?

Percivalll Apr 17, 2025

syft's outpout:

{
            "id": "912e3b23998ff8f1",
            "name": "k8s.io/ingress-nginx",
            "version": "v1.12.0",
            "type": "go-module",
            "foundBy": "go-module-binary-cataloger",
            "locations": [
                {
                    "path": "/nginx-ingress-controller",
                    "layerID": "sha256:0b575ed2eb69c925e7f4fd53fef731203a7e91959211d9fad9fbed8094448fd2",
                    "accessPath": "/nginx-ingress-controller",
                    "annotations": {
                        "evidence": "primary"
                    }
                }
            ],
            "licenses": [],
            "language": "go",
            "cpes": [],
            "purl": "pkg:golang/k8s.io/[email protected]",
            "metadataType": "go-module-buildinfo-entry",
            "metadata": {
                "goBuildSettings": [
                    {
                        "key": "-buildmode",
                        "value": "exe"
                    },
                    {
                        "key": "-compiler",
                        "value": "gc"
                    },
                    {
                        "key": "-trimpath",
                        "value": "true"
                    },
                    {
                        "key": "CGO_ENABLED",
                        "value": "0"
                    },
                    {
                        "key": "GOARCH",
                        "value": "amd64"
                    },
                    {
                        "key": "GOOS",
                        "value": "linux"
                    },
                    {
                        "key": "GOAMD64",
                        "value": "v1"
                    }
                ],
                "goCompiledVersion": "go1.23.4",
                "architecture": "amd64",
                "mainModule": "k8s.io/ingress-nginx"
            }
        }

knqyf263 Apr 17, 2025
Maintainer

Since we're not a Syft maintainer, we don't know how they detect it. This process may be relevant, though.
https://github.com/anchore/syft/blob/b13ffdd30466827a9444f272ae28dab7968f4f40/syft/pkg/cataloger/golang/parse_go_binary.go#L258-L270

$ perl -0777 -lne 'while(/[\x00\x{FFFD}]?(?:\.L)?(v?\d+\.\d+\.\d+(?:[-\w]*[+\w]*))(?=\x00)/g){ print "$1\n" }' ./nginx-ingress-controller | head -n 1
v1.12.0

However, I'm not sure how accurate it is.

$ perl -0777 -lne 'while(/[\x00\x{FFFD}]?(?:\.L)?(v?\d+\.\d+\.\d+(?:[-\w]*[+\w]*))(?=\x00)/g){ print "$1\n" }' ./trivy | head -n 1
0.0.1

stchstepan Jul 9, 2025

@Percivalll hello
how did you get this report?
I tried the same comand:

grype registry.k8s.io/ingress-nginx/controller:v1.12.0

 ✔ Loaded image                                                                                                                                                                                                                                                 registry.k8s.io/ingress-nginx/controller:v1.12.0 
 ✔ Parsed image                                                                                                                                                                                                                          sha256:7b4a1b1d7abb1cacd3ace1c1ece687ccb508e7ac738d25fcbb2ba2871e979029 
 ✔ Cataloged contents                                                                                                                                                                                                                           d28ecca51e1d2037f3293433b8a8a0dbb1e22437d5ad3b11ee2e5d3d66c58b7a 
   ├── ✔ Packages                        [214 packages]  
   ├── ✔ Executables                     [214 executables]  
   ├── ✔ File metadata                   [783 locations]  
   └── ✔ File digests                    [783 files]  
 ✔ Scanned for vulnerabilities     [63 vulnerability matches]  
   ├── by severity: 5 critical, 11 high, 39 medium, 8 low, 0 negligible
   └── by status:   44 fixed, 19 not-fixed, 0 ignored 
NAME                   INSTALLED  FIXED IN                      TYPE       VULNERABILITY        SEVERITY  EPSS %  RISK   
curl                   8.11.1-r0  8.12.0-r0                     apk        CVE-2025-0665        Critical  84.22   2.2    
libcurl                8.11.1-r0  8.12.0-r0                     apk        CVE-2025-0665        Critical  84.22   2.2    
curl                   8.11.1-r0  8.12.0-r0                     apk        CVE-2025-0725        High      44.21   0.2    
libcurl                8.11.1-r0  8.12.0-r0                     apk        CVE-2025-0725        High      44.21   0.2    
c-ares                 1.34.3-r0  1.34.5-r0                     apk        CVE-2025-31498       High      37.00   0.1    
nginx                  1.25.5     1.26.3, 1.27.4                binary     CVE-2025-23419       Medium    47.53   0.1    
nginx                  1.25.5     1.26.1                        binary     CVE-2024-34161       Medium    41.47   < 0.1  
nginx                  1.25.5     1.26.1                        binary     CVE-2024-35200       Medium    40.93   < 0.1  
nginx                  1.25.5     1.26.1                        binary     CVE-2024-32760       Medium    36.88   < 0.1  
libcrypto3             3.3.2-r4   3.3.3-r0                      apk        CVE-2024-12797       Medium    36.65   < 0.1  
libssl3                3.3.2-r4   3.3.3-r0                      apk        CVE-2024-12797       Medium    36.65   < 0.1  
openssl                3.3.2-r4   3.3.3-r0                      apk        CVE-2024-12797       Medium    36.65   < 0.1  
xz-libs                5.6.3-r0   5.6.3-r1                      apk        CVE-2025-31115       High      27.62   < 0.1  
nginx                  1.25.5     1.26.1                        binary     CVE-2024-31079       Medium    36.88   < 0.1  
nginx                  1.25.5     1.26.2, 1.27.1                binary     CVE-2024-7347        Medium    29.60   < 0.1  
libxml2                2.13.4-r3  2.13.4-r5                     apk        CVE-2025-27113       High      21.51   < 0.1  
libcrypto3             3.3.2-r4   3.3.2-r5                      apk        CVE-2024-13176       Medium    21.66   < 0.1  
libssl3                3.3.2-r4   3.3.2-r5                      apk        CVE-2024-13176       Medium    21.66   < 0.1  
openssl                3.3.2-r4   3.3.2-r5                      apk        CVE-2024-13176       Medium    21.66   < 0.1  
grpc                   1.62.1-r2                                apk        CVE-2024-7246        Medium    17.38   < 0.1  
grpc-cpp               1.62.1-r2                                apk        CVE-2024-7246        Medium    17.38   < 0.1  
libaddress_sorting     1.62.1-r2                                apk        CVE-2024-7246        Medium    17.38   < 0.1  
libgpr                 1.62.1-r2                                apk        CVE-2024-7246        Medium    17.38   < 0.1  
libgrpc                1.62.1-r2                                apk        CVE-2024-7246        Medium    17.38   < 0.1  
libgrpc_unsecure       1.62.1-r2                                apk        CVE-2024-7246        Medium    17.38   < 0.1  
libupb_base_lib        1.62.1-r2                                apk        CVE-2024-7246        Medium    17.38   < 0.1  
libupb_json_lib        1.62.1-r2                                apk        CVE-2024-7246        Medium    17.38   < 0.1  
libupb_mem_lib         1.62.1-r2                                apk        CVE-2024-7246        Medium    17.38   < 0.1  
libupb_message_lib     1.62.1-r2                                apk        CVE-2024-7246        Medium    17.38   < 0.1  
libupb_textformat_lib  1.62.1-r2                                apk        CVE-2024-7246        Medium    17.38   < 0.1  
stdlib                 go1.23.4   1.23.10, 1.24.4               go-module  CVE-2025-4673        Medium    11.31   < 0.1  
stdlib                 go1.23.4   1.23.8, 1.24.2                go-module  CVE-2025-22871       Critical  4.44    < 0.1  
libxml2                2.13.4-r3  2.13.4-r6                     apk        CVE-2025-32415       High      5.64    < 0.1  
stdlib                 go1.23.4   1.22.11, 1.23.5, 1.24.0-rc.2  go-module  CVE-2024-45336       Medium    7.41    < 0.1  
curl                   8.11.1-r0  8.12.0-r0                     apk        CVE-2025-0167        Low       17.10   < 0.1  
libcurl                8.11.1-r0  8.12.0-r0                     apk        CVE-2025-0167        Low       17.10   < 0.1  
golang.org/x/net       v0.33.0    0.38.0                        go-module  GHSA-vvgc-356p-c3xw  Medium    7.86    < 0.1  
stdlib                 go1.23.4   1.22.11, 1.23.5, 1.24.0-rc.2  go-module  CVE-2024-45341       Medium    5.09    < 0.1  
libxml2                2.13.4-r3  2.13.4-r6                     apk        CVE-2025-32414       High      2.63    < 0.1  
musl                   1.2.5-r8   1.2.5-r9                      apk        CVE-2025-26519       High      1.27    < 0.1  
musl-utils             1.2.5-r8   1.2.5-r9                      apk        CVE-2025-26519       High      1.27    < 0.1  
curl                   8.11.1-r0                                apk        CVE-2025-5025        Medium    3.27    < 0.1  
curl                   8.11.1-r0                                apk        CVE-2025-4947        Medium    1.40    < 0.1  
libxml2                2.13.4-r3  2.13.4-r4                     apk        CVE-2025-24928       High      0.55    < 0.1  
libxml2                2.13.4-r3  2.13.4-r4                     apk        CVE-2024-56171       High      0.43    < 0.1  
golang.org/x/net       v0.33.0    0.36.0                        go-module  GHSA-qxp5-gwg8-xv66  Medium    1.24    < 0.1  
busybox                1.37.0-r9                                apk        CVE-2025-46394       Low       2.91    < 0.1  
busybox-binsh          1.37.0-r9                                apk        CVE-2025-46394       Low       2.91    < 0.1  
ssl_client             1.37.0-r9                                apk        CVE-2025-46394       Low       2.91    < 0.1  
busybox                1.37.0-r9                                apk        CVE-2024-58251       Low       2.60    < 0.1  
busybox-binsh          1.37.0-r9                                apk        CVE-2024-58251       Low       2.60    < 0.1  
ssl_client             1.37.0-r9                                apk        CVE-2024-58251       Low       2.60    < 0.1  
stdlib                 go1.23.4   1.22.12, 1.23.6, 1.24.0-rc.3  go-module  CVE-2025-22866       Medium    0.47    < 0.1

but i can't see information about CVE-2025-1974

grype version:

Application:         grype
Version:             0.95.0
BuildDate:           2025-07-02T17:07:55Z
GitCommit:           Homebrew
GitDescription:      [not provided]
Platform:            darwin/arm64
GoVersion:           go1.24.4
Compiler:            gc
Syft Version:        v1.28.0
Supported DB Schema: 6

mbrancato · 2025-07-18T17:03:30Z

mbrancato
Jul 18, 2025

I have the opposite issue (false positive) on a custom-built distroless ingress-nginx 1.11.7 container. FPs are detected both for ingress-nginx and nginx.

% trivy image --scanners vuln 8fe095a85e5f
...
usr/bin/nginx-ingress-controller (gobinary)

Total: 12 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 7, CRITICAL: 1)

┌──────────────────────┬──────────────────┬──────────┬────────┬──────────────────────────────────────────┬────────────────┬──────────────────────────────────────────────────────────────┐
│       Library        │  Vulnerability   │ Severity │ Status │            Installed Version             │ Fixed Version  │                            Title                             │
├──────────────────────┼──────────────────┼──────────┼────────┼──────────────────────────────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ k8s.io/ingress-nginx │ CVE-2025-1974    │ CRITICAL │ fixed  │ v0.0.0-20250605041839-4eaa8bf5e1c8+dirty │ 1.11.5, 1.12.1 │ ingress-nginx: ingress-nginx admission controller RCE        │
│                      │                  │          │        │                                          │                │ escalation                                                   │
│                      │                  │          │        │                                          │                │ https://avd.aquasec.com/nvd/cve-2025-1974                    │
│                      ├──────────────────┼──────────┤        │                                          ├────────────────┼──────────────────────────────────────────────────────────────┤
│                      │ CVE-2021-25745   │ HIGH     │        │                                          │ 1.2.0          │ k8s.io/ingress-nginx: 'path' can be pointed to service       │
│                      │                  │          │        │                                          │                │ account token file                                           │
│                      │                  │          │        │                                          │                │ https://avd.aquasec.com/nvd/cve-2021-25745                   │
│                      ├──────────────────┤          │        │                                          ├────────────────┼──────────────────────────────────────────────────────────────┤
│                      │ CVE-2022-4886    │          │        │                                          │ 1.8.0          │ Ingress-nginx path sanitization can be bypassed              │
│                      │                  │          │        │                                          │                │ https://avd.aquasec.com/nvd/cve-2022-4886                    │
│                      ├──────────────────┤          │        │                                          ├────────────────┼──────────────────────────────────────────────────────────────┤
│                      │ CVE-2023-5043    │          │        │                                          │ 1.9.0          │ Ingress nginx annotation injection causes arbitrary command  │
│                      │                  │          │        │                                          │                │ execution                                                    │
│                      │                  │          │        │                                          │                │ https://avd.aquasec.com/nvd/cve-2023-5043                    │
│                      ├──────────────────┤          │        │                                          │                ├──────────────────────────────────────────────────────────────┤
│                      │ CVE-2023-5044    │          │        │                                          │                │ Ingress-nginx code injection via                             │
│                      │                  │          │        │                                          │                │ nginx.ingress.kubernetes.io/permanent-redirect annotation    │
│                      │                  │          │        │                                          │                │ https://avd.aquasec.com/nvd/cve-2023-5044                    │
│                      ├──────────────────┤          │        │                                          ├────────────────┼──────────────────────────────────────────────────────────────┤
│                      │ CVE-2025-1097    │          │        │                                          │ 1.11.5, 1.12.1 │ ingress-nginx: ingress-nginx controller - configuration      │
│                      │                  │          │        │                                          │                │ injection via unsanitized auth-tls-match-cn annotation       │
│                      │                  │          │        │                                          │                │ https://avd.aquasec.com/nvd/cve-2025-1097                    │
│                      ├──────────────────┤          │        │                                          │                ├──────────────────────────────────────────────────────────────┤
│                      │ CVE-2025-1098    │          │        │                                          │                │ ingress-nginx: ingress-nginx controller - configuration      │
│                      │                  │          │        │                                          │                │ injection via unsanitized mirror annotations                 │
│                      │                  │          │        │                                          │                │ https://avd.aquasec.com/nvd/cve-2025-1098                    │
│                      ├──────────────────┤          │        │                                          │                ├──────────────────────────────────────────────────────────────┤
│                      │ CVE-2025-24514   │          │        │                                          │                │ ingress-nginx: ingress-nginx controller - configuration      │
│                      │                  │          │        │                                          │                │ injection via unsanitized auth-url annotation                │
│                      │                  │          │        │                                          │                │ https://avd.aquasec.com/nvd/cve-2025-24514                   │
│                      ├──────────────────┼──────────┤        │                                          ├────────────────┼──────────────────────────────────────────────────────────────┤
│                      │ CVE-2018-1002104 │ MEDIUM   │        │                                          │ 1.5            │ kubernetes/ingress-nginx: /metrics endpoint exposed publicly │
│                      │                  │          │        │                                          │                │ by default                                                   │
│                      │                  │          │        │                                          │                │ https://avd.aquasec.com/nvd/cve-2018-1002104                 │
│                      ├──────────────────┤          │        │                                          ├────────────────┼──────────────────────────────────────────────────────────────┤
│                      │ CVE-2020-8553    │          │        │                                          │ 0.28.0         │ ingress-nginx component for Kubernetes allows file overwrite │
│                      │                  │          │        │                                          │                │ https://avd.aquasec.com/nvd/cve-2020-8553                    │
│                      ├──────────────────┤          │        │                                          ├────────────────┼──────────────────────────────────────────────────────────────┤
│                      │ CVE-2021-25748   │          │        │                                          │ 1.2.1          │ Ingress-nginx `path` sanitization can be bypassed with       │
│                      │                  │          │        │                                          │                │ newline character                                            │
│                      │                  │          │        │                                          │                │ https://avd.aquasec.com/nvd/cve-2021-25748                   │
│                      ├──────────────────┤          │        │                                          ├────────────────┼──────────────────────────────────────────────────────────────┤
│                      │ CVE-2025-24513   │          │        │                                          │ 1.11.5, 1.12.1 │ ingress-nginx: ingress-nginx controller - auth secret file   │
│                      │                  │          │        │                                          │                │ path traversal vulnerability                                 │
│                      │                  │          │        │                                          │                │ https://avd.aquasec.com/nvd/cve-2025-24513                   │
└──────────────────────┴──────────────────┴──────────┴────────┴──────────────────────────────────────────┴────────────────┴──────────────────────────────────────────────────────────────┘
...
% docker run -it --rm 8fe095a85e5f /usr/bin/nginx-ingress-controller --version       
-------------------------------------------------------------------------------
NGINX Ingress controller
  Release:       controller-v1.11.7
  Build:         4eaa8bf
  Repository:    https://github.com/kubernetes/ingress-nginx$
  nginx version: nginx/1.25.5

-------------------------------------------------------------------------------

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

CVE-2025-1974 ingress-nginx critical vulnerability not detected in a vulnerable container #8709

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments 5 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

CVE-2025-1974 ingress-nginx critical vulnerability not detected in a vulnerable container #8709

Uh oh!

tjanowski Apr 8, 2025

IDs

Description

Reproduction Steps

Version

Checklist

Replies: 2 comments · 5 replies

Uh oh!

itaysk Apr 8, 2025 Maintainer

Uh oh!

tjanowski Apr 9, 2025 Author

Uh oh!

Percivalll Apr 17, 2025

Uh oh!

Percivalll Apr 17, 2025

Uh oh!

knqyf263 Apr 17, 2025 Maintainer

Uh oh!

stchstepan Jul 9, 2025

Uh oh!

mbrancato Jul 18, 2025

tjanowski
Apr 8, 2025

Replies: 2 comments 5 replies

itaysk
Apr 8, 2025
Maintainer

tjanowski Apr 9, 2025
Author

knqyf263 Apr 17, 2025
Maintainer

mbrancato
Jul 18, 2025