Home

Description

Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The configuration inline allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs, they an read skipper secrets. This vulnerability is fixed in 0.23.0.

PUBLISHED Reserved 2026-01-15 | Published 2026-01-16 | Updated 2026-01-16 | Assigner GitHub_M




HIGH: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-94: Improper Control of Generation of Code ('Code Injection')

CWE-250: Execution with Unnecessary Privileges

CWE-522: Insufficiently Protected Credentials

Product status

< 0.23.0
affected

References

github.com/...kipper/security/advisories/GHSA-cc8m-98fm-rc9g

github.com/...ommit/0b52894570773b29e2f3c571b94b4211ef8fa714

github.com/zalando/skipper/releases/tag/v0.23.0

cve.org (CVE-2026-23742)

nvd.nist.gov (CVE-2026-23742)

Download JSON