Impact
When NGINX Plus is used as the data plane for F5 NGINX Gateway Fabric, the configuration generator component fails to sanitize user-supplied values from the NginxProxy Custom Resource Definition’s serverTokens field and the AuthenticationFilter Custom Resource Definition’s extraAuthArgs field. These values are rendered directly into NGINX configuration templates, allowing an authenticated attacker who can create or modify these CRDs to inject arbitrary NGINX configuration directives. The vulnerability is identified as CWE‑76 and can lead to unauthorized configuration changes that compromise the confidentiality, integrity, or availability of the data plane, potentially enabling remote code execution or malicious traffic routing.
Affected Systems
The affected environments are installations of F5 NGINX Gateway Fabric in which NGINX Plus functions as the data plane and the configuration generator component is active. The advisory does not list specific patch releases, so any version that still uses the unsanitized generator is considered vulnerable unless updated beyond end‑of‑technical‑support.
Risk and Exploitability
The CVSS score of 8.6 signals a high severity flaw, but the EPSS score of <1% indicates a low probability of exploitation at present. The vulnerability is not included in the CISA KEV catalog. Exploitation requires an authenticated attacker with sufficient RBAC permissions to modify Custom Resource Definitions within the Kubernetes cluster, making the attack vector a control‑plane, authenticated scenario. Given the high potential impact but limited current exploitation likelihood, applying the definitive patch and tightening access controls is strongly recommended.
OpenCVE Enrichment