x/vulndb: potential Go vuln in k8s.io/ingress-nginx: GHSA-242m-6h72-7hgp

[GoVulnBot]

Advisory GHSA-242m-6h72-7hgp references a vulnerability in the following Go modules:

Module
k8s.io/ingress-nginx

Description:
A security issue was discovered in ingress-nginx where attacker-provided data are included in a filename by the ingress-nginx Admission Controller feature, resulting in directory traversal within the container. This could result in denial of service, or when combined with other vulnerabilities, limited disclosure of Secret objects from the cluster.

References:

• ADVISORY: GHSA-242m-6h72-7hgp
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-24513
• REPORT: CVE-2025-24513: ingress-nginx controller - auth secret file path traversal vulnerability kubernetes/kubernetes#131005
• WEB: https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.11.5
• WEB: https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.12.1
• WEB: https://groups.google.com/g/kubernetes-security-announce/c/2qa9DFtN0cQ

Cross references:

• k8s.io/ingress-nginx appears in 7 other report(s):
  • data/excluded/GO-2022-0613.yaml (x/vulndb: potential Go vuln in k8s.io/ingress-nginx: GHSA-pvmg-xgmx-9mxh #613) NOT_IMPORTABLE
  • data/excluded/GO-2023-1789.yaml (x/vulndb: potential Go vuln in k8s.io/ingress-nginx: GHSA-863x-868h-968x #1789) NOT_IMPORTABLE
  • data/excluded/GO-2023-1916.yaml (x/vulndb: potential Go vuln in k8s.io/ingress-nginx: GHSA-hhpm-74pm-hf35 #1916) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1953.yaml (x/vulndb: potential Go vuln in k8s.io/ingress-nginx: GHSA-p3x5-5xpx-9phm #1953) NOT_IMPORTABLE
  • data/excluded/GO-2023-2174.yaml (x/vulndb: potential Go vuln in k8s.io/ingress-nginx: GHSA-5wj4-wffq-3378 #2174) NOT_IMPORTABLE
  • data/excluded/GO-2023-2175.yaml (x/vulndb: potential Go vuln in k8s.io/ingress-nginx: GHSA-gvrm-w2f9-f77q #2175) NOT_IMPORTABLE
  • data/reports/GO-2024-2428.yaml (x/vulndb: potential Go vuln in k8s.io/ingress-nginx: GHSA-fp9f-44c2-cw27 #2428)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: k8s.io/ingress-nginx
      non_go_versions:
        - fixed: 1.11.5
        - introduced: 1.12.0-beta.0
        - fixed: 1.12.1
      vulnerable_at: 0.0.0-20250325144035-1d7abc12ef72
summary: ingress-nginx controller - auth secret file path traversal vulnerability in k8s.io/ingress-nginx
cves:
    - CVE-2025-24513
ghsas:
    - GHSA-242m-6h72-7hgp
references:
    - advisory: https://github.com/advisories/GHSA-242m-6h72-7hgp
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-24513
    - report: https://github.com/kubernetes/kubernetes/issues/131005
    - web: https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.11.5
    - web: https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.12.1
    - web: https://groups.google.com/g/kubernetes-security-announce/c/2qa9DFtN0cQ
source:
    id: GHSA-242m-6h72-7hgp
    created: 2025-03-25T16:01:33.155668003Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/660559 mentions this issue: data/reports: add 28 reports