The latest HAProxy Kubernetes Ingress Controller (KIC) versions address a medium-severity vulnerability that could enable a privilege escalation attack. Users with permissions to create or update ingress objects can exploit a flaw in the config-snippets feature, allowing them to gain access to Kubernetes API secrets.
If you're using an affected version of the HAProxy Kubernetes Ingress Controller, you should upgrade to a fixed version as soon as possible. A workaround is available for those who cannot upgrade immediately.
Vulnerability details
CVE Identifier: CVE-2025-59303
CVSSv3 Score: 6.4
Description:
A security vulnerability has been identified in HAProxy Kubernetes Ingress Controller, where the
config-snippetsfeature can be misused. Users with Kubernetes permissions to create or modify Ingress or Service objects can inject specific HAProxy configurations. These configurations can then be used to access sensitive Kubernetes service account tokens from the ingress controller's environment.Successfully exploiting this vulnerability allows an attacker to obtain the ingress controller's token secret. This secret can then be used to access any data available to the ingress controller, leading to privilege escalation within the Kubernetes cluster. This risk is particularly high in multi-tenant or hosted environments where end-users may be untrusted.
Affected versions and remediation
HAProxy Technologies released new versions of the HAProxy Kubernetes Ingress Controller on Wednesday, October 8, 2025. These releases patch the vulnerability described above in CVE-2025-59303.
This fix introduces the preloaded libblock_secrets.so library to intercept and block the HAProxy process from accessing sensitive Kubernetes secret paths.
Product | Affected Version(s) | Fixed Version(s) |
|---|---|---|
HAProxy Kubernetes Ingress Controller (Community) | All prior versions | v3.1.13 |
HAProxy Enterprise Kubernetes Ingress Controller | All prior versions | v3.0.16-ee1 v1.11.13-ee1 v1.9.15-ee1 |
Upgrade instructions
Users of affected products should upgrade immediately by pulling the latest image version for their respective release track.
Mitigation and workaround details
Disabling the config-snippets feature can mitigate the vulnerability for users who cannot upgrade immediately. This will prevent users from injecting arbitrary HAProxy configuration.
You can disable this feature by starting the Ingress Controller with the following flag:
--disable-config-snippetsPlease note that this will disable all custom configuration snippets throughout your environment.
Future improvements
Starting with version 3.2 of the HAProxy Kubernetes Ingress Controller, the config-snippets feature will be disabled by default and will become an opt-in capability. We encourage users to migrate towards using CRDs and custom annotations, which provide administrators with granular control over configurable parameters.
Support
If you are an HAProxy customer with questions about this advisory or upgrading to the latest version, please contact our support team.
Subscribe to our blog. Get the latest release updates, tutorials, and deep-dives from HAProxy experts.
