Controller image CVE-2025-15467 from openssl

[rparini-intellegens]

Reported in Google Cloud's Security command center and Docker scout v1.19.0. To reproduce:

docker scout cves registry.k8s.io/ingress-nginx/controller:v1.14.2

The ingress-nginx/controller:v1.14.2 image contains openssl version 3.5.4-r0 which has recently disclosed several CVEs but the most notable is the Critical CVE-2025-15467 which can potentially allow for Remote Code Execution.

• https://nvd.nist.gov/vuln/detail/CVE-2025-15467
• https://securitylabs.datadoghq.com/articles/openssl-january-2026-security-update-cms-and-pkcs12-buffer-overflows/#how-to-know-if-you-are-affected

Is the ingress-nginx controller potentially vulnerable to this through its use of openssl? If so, is there some configuration of the controller that would mitigate the issue?

[k8s-ci-robot]

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[strongjz]

@Gacko might want to look into this for the next release. I know we were looking st upgrading alpine as well, so it will probably be in there.

[Gacko]

So I checked the current and latest NGINX base image we built this week and will use in the upcoming patch release. It sadly still uses OpenSSL v3.5.4, even though we're doing apk upgrade in the build process.

Alpine v3.23.3 comes with OpenSSL v3.5.5 instead, so the next patch release end of March will include it, since we are definitely going to bump all the dependencies once again before releasing.

[rparini-intellegens]

Thanks for the update, appreciate it will be patched end of March. And thanks for your work on this project, sad to see it retire!

In the meantime, are you able to give any advice on the likelihood of this vulnerability actually being a risk for ingress-nginx users? I'm not sure whether the ingress-nginx controller uses openssl in the way described in the CVE (or maybe only in specific circumstances?):

Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable.

Since the patch updating OpenSSL will take some time, I'm trying to understand the actual risk and if any mitigations are possible until then.

[rparini-intellegens]

So I checked the current and latest NGINX base image we built this week and will use in the upcoming patch release. It sadly still uses OpenSSL v3.5.4, even though we're doing apk upgrade in the build process.

Scanning the just released v1.14.3

docker scout cves registry.k8s.io/ingress-nginx/controller:v1.14.3

does not show any openssl vulnerabilities for me. But do you mean the NGINX base is statically built against the older OpenSSL at an earlier point in the build process so it's still used even if OpenSSL is updated in the final image?