Description
Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The configuration inline allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs, they an read skipper secrets. This vulnerability is fixed in 0.23.0.
Published: 2026-01-16
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Code Execution
Action: Immediate Patch
AI Analysis

Impact

An attacker who can inject Lua scripts into Skipper’s routing configuration can execute arbitrary code on the machine running the proxy. The vulnerability stems from the default configuration that allows inline Lua sources. Because the Lua runtime is granted the same filesystem permissions as the Skipper process, a crafted script can read any file the process can access, including Skipper’s own secrets. This alone results in disclosure of sensitive information, and the same capability can be used to write or delete files, execute binaries or alter network behaviour. The weakness is represented by CWE‑250 (Privilege‑Increases), CWE‑94 (Code Injection), and CWE‑522 (Insufficient Protection of Secrets).

Affected Systems

Zalando Skipper, all releases prior to 0.23.0 that expose the -lua‑sources=inline option, such as deployments using the default configuration. The issue becomes exploitable when untrusted users can add Lua filters — for example through a Kubernetes Ingress that forwards arbitrary routing rules to the Skipper service.

Risk and Exploitability

The score of 8.8 on the CVSS metric labels this a high‑severity flaw. The EPSS value of less than 1 % indicates a very low exploitation probability at present, and the vulnerability is not yet present in the CISA KEV catalog. Nonetheless, the fault allows local file read and potential arbitrary code execution if an attacker can supply Lua scripts. Since the attack requires creating or modifying a routing rule that contains Lua code, the vector is inferred to be either local or compromise of the configuration channel (e.g., a mis‑configured Ingress).

Generated by OpenCVE AI on April 18, 2026 at 05:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Skipper to version 0.23.0 or later.
  • If an upgrade cannot be performed immediately, remove or disable the -lua-sources=inline option so that only file‑based Lua sources are allowed.
  • Restrict the creation of Ingress resources or other configuration entry points to trusted administrators to prevent untrusted users from injecting Lua filters.

Generated by OpenCVE AI on April 18, 2026 at 05:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cc8m-98fm-rc9g Skipper is vulnerable to arbitrary code execution through lua filters
History

Wed, 18 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:zalando:skipper:*:*:*:*:*:*:*:*

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Zalando
Zalando skipper
Vendors & Products Zalando
Zalando skipper

Fri, 16 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 16 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Description Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The configuration inline allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs, they an read skipper secrets. This vulnerability is fixed in 0.23.0.
Title Skipper arbitrary code execution through lua filters
Weaknesses CWE-250
CWE-522
CWE-94
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Zalando Skipper
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-16T20:24:12.702Z

Reserved: 2026-01-15T15:45:01.958Z

Link: CVE-2026-23742

cve-icon Vulnrichment

Updated: 2026-01-16T20:23:49.789Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-16T20:15:51.613

Modified: 2026-02-18T16:28:20.980

Link: CVE-2026-23742

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T05:45:38Z

Weaknesses