Moderate severity CVE-2025-23419 flagged

[sammedsingalkar09]

Version
ingress-nginx v1.14.0, .....

Scanner
https://nvd.nist.gov/vuln/detail/CVE-2025-23419
GHSA-84xh-pwc6-7g4g

Test With
Version scanned: ingress-nginx v1.14.0 (latest)

Description
When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when TLS Session Tickets

Remediation:
Apply the latest patches and updates provided by the respective vendors.
Bump NGINX version to 1.27.4 (current 1.27.1)

[k8s-ci-robot]

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[Gacko]

Have you even tried to reproduce this? Because we might be using NGINX v1.27.1 under the hood, but one of the benefits of using OpenResty in the first place is this: https://github.com/kubernetes/ingress-nginx/blob/main/images/nginx/rootfs/patches/28_nginx-1.27.1-CVE-2025-23419.patch.

[Gacko]

https://openresty.org/en/ann-1027001002.html