/security_
8 advisories · Latest CVEs affecting DevOps & cloud infrastructure in 2025.
IngressNightmare — Remote Code Execution in ingress-nginx
A critical RCE vulnerability in the ingress-nginx admission controller allows an unauthenticated attacker on the pod network to inject arbitrary nginx configuration, leading to full cluster compromise.
Unauthenticated RCE with access to all Secrets in the cluster. Any pod that can reach the admission webhook (port 8443) can exploit this. Approximately 40% of public Kubernetes clusters were exposed.
Upgrade immediately to 1.11.5 or 1.12.1. If you cannot upgrade, disable the admission webhook or restrict network access to it via NetworkPolicy.
Apache Tomcat Partial PUT RCE
A partial PUT request causes Tomcat to write a temporary file with a predictable path. If the default servlet is enabled for write and the server has deserialization gadgets on the classpath, this enables unauthenticated RCE.
Unauthenticated RCE on Tomcat servers with partial PUT enabled and deserialization gadgets on the classpath. Default servlet write is not enabled by default but is common in enterprise deployments.
Upgrade to the fixed versions. Disable partial PUT support and the default servlet write capability if not required.
FortiOS Authentication Bypass — Exploited in the Wild
An authentication bypass in the Node.js websocket module allows an unauthenticated remote attacker to gain super-admin privileges via crafted requests to the management interface. Actively exploited in the wild.
Full admin takeover of FortiGate firewalls and FortiProxy. CISA added to KEV catalog. Used in targeted attacks against enterprise networks to pivot internally.
Patch immediately. Disable management interface access from untrusted networks. Review admin accounts for unauthorized entries.
Next.js Middleware Authorization Bypass
An attacker can bypass Next.js middleware entirely by setting the x-middleware-subrequest header, skipping all authentication, authorization, and redirect logic defined in middleware.ts.
Complete bypass of any auth gate implemented in Next.js middleware. Admin panels, protected routes, and paywalls are all exposed. Only affects self-hosted deployments — Vercel patched at the edge.
Upgrade to 15.2.3 / 14.2.25. Strip the x-middleware-subrequest header at your reverse proxy (nginx/Cloudflare) as an interim measure.
Axios SSRF via Absolute URL Override
When axios is configured with a baseURL, passing an absolute URL as the request path overrides the baseURL entirely, bypassing any allowlist or SSRF protection that depends on the base URL being respected.
Server-Side Request Forgery in any Node.js app that uses axios with a baseURL as a security boundary. Attackers can force requests to internal metadata endpoints (AWS IMDSv1, GCP metadata) or internal services.
Upgrade to axios 1.8.2. Alternatively, validate the final resolved URL before making requests rather than relying on baseURL as a boundary.
Vite Arbitrary File Read via Path Traversal
The Vite dev server allows arbitrary file reads outside the project root when specific query parameters with null bytes or URL encoding are appended to a request, bypassing the fs.deny filter.
Any file readable by the process can be exfiltrated — .env files, private keys, /etc/passwd. Only affects machines running vite dev with the server exposed to untrusted networks.
Upgrade to the patched version. Never expose vite dev to untrusted networks — use --host 127.0.0.1 in dev and never run the dev server in production.
Redis Unauthenticated DoS via Output Buffer
An unauthenticated attacker can cause unbounded memory growth in Redis by flooding the output buffer, leading to an OOM kill and denial of service without authentication.
Full DoS on any Redis instance exposed without proper network restrictions — no auth required. Critical for any deployment where Redis is reachable from untrusted networks.
Upgrade immediately. Apply network-level controls to restrict Redis access to trusted clients only. Enable requirepass as defense-in-depth.
undici Insufficient Entropy in Proxy-Authorization
undici uses Math.random() to generate boundary strings for multipart form data, making them predictable. Combined with a retry scenario, an attacker may be able to intercept Proxy-Authorization headers.
Credential leakage via proxy authentication on Node.js 18+ (undici is the built-in fetch). Affects any service using node fetch through an HTTP proxy with credentials.
Update Node.js to a patched release or upgrade undici to 6.21.1 directly.