Lua-Based Annotation Parsers Vulnerable to Injection Attacks

9/10 Critical

Lua-based annotation parsers in ingress-nginx (e.g., `auth-url`, `auth-tls-match-cn`, mirror UID parsers) fail to properly sanitize user inputs before incorporating them into NGINX/Lua configurations. Attackers can craft malicious Ingress annotations that inject arbitrary directives into the NGINX configuration template via the admission controller's validation logic.

NGINXLuaKubernetesingress-nginx
Category
security
Workaround
none
Stage
deploy
Freshness
emerging
Scope
framework
Upstream
open
Recurring
Yes
Buyer Type
team
Maintainer
active

Sources

Collection History

Query: “What are the most common pain points with Nginx for developers in 2025?4/4/2026

A series of vulnerabilities discovered in 2025 demonstrated that Lua-based annotation parsers remained vulnerable to injection attacks...The auth-url, auth-tls-match-cn, and mirror UID parsers failed to properly sanitize user inputs before incorporating them into NGINX/Lua configurations. Attackers could craft malicious Ingress annotations that, when processed by the admission controller's Lua-based validation logic, would inject arbitrary directives into the NGINX configuration template.

Created: 4/4/2026Updated: 4/4/2026