CRE-2025-0114

Nginx Ingress Controller rewritten URI has a zero lengthHigh

Impact: 8/10

Mitigation: 6/10

CRE-2025-0114View on GitHub

NginxReverse ProxyService OutageIngress ControllerNGINX IngressLoad BalancerKubernetes

Description

Detects rewrite error which leads to service unavailability.

Wrong rewrite causes responses with HTTP code 500 or 400.

This CRE detects empty rewrite.

Cause

• Wrong rewrite rule applied
• Rewrite ends up empty

Mitigation

• Check if ingress rule not missing `/` for example:

      metadata:        annotations:          ...          nginx.ingress.kubernetes.io/rewrite-target: $2          ...                - path: /path1(/|$)(.*)

Accessing path /path1/ will cause empty rewrite (HTTP code 500), and /path1/path2 ends up with path2 path (without / at the beginning - causing HTTP code 400).

With following rule:

      metadata:        annotations:          ...          nginx.ingress.kubernetes.io/rewrite-target: /$2          ...                - path: /path1(/|$)(.*)

At least one / is always added at the beginning of rewrite output.

References

• https://kubernetes.github.io/ingress-nginx/examples/rewrite/
• https://nginx.org/en/docs/http/ngx_http_rewrite_module.html