Preface: A Kubernetes (K8s) sidecar controller is a custom controller designed to manage sidecar containers within a Kubernetes Pod. Sidecar containers are secondary containers that run alongside the main application container in the same Pod. They provide additional functionalities such as logging, monitoring, security, or data synchronization without altering the primary application code.
Background: Ingress annotations in Kubernetes can be used to inject configuration under specific conditions. For example, if you are using an NGINX ingress controller, you can use annotations to add custom configuration snippets. This is often done to handle specific routing rules, security settings, or other custom behaviors.
However, it’s important to be cautious with these annotations, as they can potentially introduce security vulnerabilities. For instance, certain annotations like mirror-target and mirror-host have been found to allow arbitrary configuration injection, which can lead to remote code execution and other security risks.
Vulnerability details: A security issue was discovered in ingress-Nginx where the “auth-url” ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-Nginx controller.
Note that in default installation, the controller can access all Secrets cluster-wide.
Official announcement: The vulnerability is rated a CVSS 9.8 and is tracked with the following identifiers: CVE-2025-1097, CVE-2025-1098, CVE-2025-24514 and CVE-2025-1974. Please refer to the link for details
https://nvd.nist.gov/vuln/detail/CVE-2025-1974
https://nvd.nist.gov/vuln/detail/CVE-2025-24514