{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-59303", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-10-08T17:10:15.387Z", "dateReserved": "2025-09-12T00:00:00.000Z", "datePublished": "2025-10-08T00:00:00.000Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "HAProxy Kubernetes Ingress Controller", "vendor": "HAProxy", "versions": [{"lessThan": "3.1.13", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "HAProxy Kubernetes Ingress Controller before 3.1.13, when the config-snippets feature flag is used, accepts config snippets from users with create/update permissions. This can result in obtaining an ingress token secret as a response. The fixed versions of HAProxy Enterprise Kubernetes Ingress Controller are 3.0.16-ee1, 1.11.13-ee1, and 1.9.15-ee1."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-791", "description": "CWE-791 Incomplete Filtering of Special Elements", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-10-08T16:01:18.361Z"}, "references": [{"url": "https://haproxy.com/blog/cve-2025-59303-haproxy-kubernetes-ingress-controller-secret-leak"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-08T17:10:00.388359Z", "id": "CVE-2025-59303", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-08T17:10:15.387Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-59303", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-08T17:10:00.388359Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-08T17:10:08.106Z"}}], "cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "HAProxy", "product": "HAProxy Kubernetes Ingress Controller", "versions": [{"status": "affected", "version": "0", "lessThan": "3.1.13", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://haproxy.com/blog/cve-2025-59303-haproxy-kubernetes-ingress-controller-secret-leak"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "descriptions": [{"lang": "en", "value": "HAProxy Kubernetes Ingress Controller before 3.1.13, when the config-snippets feature flag is used, accepts config snippets from users with create/update permissions. This can result in obtaining an ingress token secret as a response. The fixed versions of HAProxy Enterprise Kubernetes Ingress Controller are 3.0.16-ee1, 1.11.13-ee1, and 1.9.15-ee1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-791", "description": "CWE-791 Incomplete Filtering of Special Elements"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-10-08T16:01:18.361Z"}}}, "cveMetadata": {"cveId": "CVE-2025-59303", "state": "PUBLISHED", "dateUpdated": "2025-10-08T17:10:15.387Z", "dateReserved": "2025-09-12T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2025-10-08T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "HAProxy Kubernetes Ingress Controller before 3.1.13, when the config-snippets feature flag is used, accepts config snippets from users with create/update permissions. This can result in obtaining an ingress token secret as a response. The fixed versions of HAProxy Enterprise Kubernetes Ingress Controller are 3.0.16-ee1, 1.11.13-ee1, and 1.9.15-ee1."}], "id": "CVE-2025-59303", "lastModified": "2025-10-08T19:38:09.863", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2025-10-08T16:15:38.870", "references": [{"source": "cve@mitre.org", "url": "https://haproxy.com/blog/cve-2025-59303-haproxy-kubernetes-ingress-controller-secret-leak"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-791"}], "source": "cve@mitre.org", "type": "Primary"}]}

{"bugzilla": {"description": "haproxy: HAProxy Kubernetes Ingress Controller: Secret Leak via Config Snippets", "id": "2402538", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2402538"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "status": "draft"}, "cwe": "CWE-791", "details": ["HAProxy Kubernetes Ingress Controller before 3.1.13, when the config-snippets feature flag is used, accepts config snippets from users with create/update permissions. This can result in obtaining an ingress token secret as a response. The fixed versions of HAProxy Enterprise Kubernetes Ingress Controller are 3.0.16-ee1, 1.11.13-ee1, and 1.9.15-ee1."], "mitigation": {"lang": "en:us", "value": "Disabling the config-snippets feature before starting the Ingres Controller is a useful mitigation for this vulnerability.\nThis can be done by starting the Ingres Controller with the following flag:\n--disable-config-snippets\nUpgrade to version 3.2 and above to fix this issue."}, "name": "CVE-2025-59303", "package_state": [{"cpe": "cpe:/a:redhat:ceph_storage:5", "fix_state": "Out of support scope", "package_name": "haproxy", "product_name": "Red Hat Ceph Storage 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "haproxy", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "haproxy", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "haproxy", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "haproxy", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "haproxy", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2025-10-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-59303\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-59303\nhttps://haproxy.com/blog/cve-2025-59303-haproxy-kubernetes-ingress-controller-secret-leak"], "statement": "This flaw is rated Moderate primarily because successful exploitation requires the attacker to possess existing privileges allowing them to create or modify Ingress or Service objects in a cluster environment. The core flaw is a configuration injection weakness where the KIC's config-snippets feature can be misused to embed arbitrary HAProxy directives that are not properly sanitized. This malicious code allows an attacker to access environment variables, specifically the highly sensitive Kubernetes service account token secret, which is available to the ingress controller pod. Obtaining this token permits an authenticated user to perform privilege escalation and access cluster data. \nSo essentially, for a product to be affected, it has to both ship the base haproxy RPM and run it in the Kubernetes Ingres Controller.", "threat_severity": "Moderate"}

{"created": "2025-10-09T12:55:12.644438+00:00", "updated": "2025-10-09T12:55:12.644464+00:00", "vendors": ["haproxy", "haproxy$PRODUCT$haproxy", "kubernetes", "kubernetes$PRODUCT$haproxy_ingress_controller", "kubernetes$PRODUCT$kubernetes"]}