CVE-2025-59303 is a vulnerability classified under CWE-791 (Incomplete Filtering of Special Elements) affecting the HAProxy Kubernetes Ingress Controller prior to version 3.1.13 when the config-snippets feature flag is enabled. This feature allows users with create or update permissions on ingress resources to inject arbitrary configuration snippets. Due to insufficient filtering of these snippets, an attacker can craft configurations that cause the controller to disclose ingress token secrets in responses. These secrets are critical for authenticating and authorizing ingress traffic within Kubernetes clusters. The vulnerability impacts the confidentiality and integrity of sensitive tokens, potentially enabling privilege escalation or unauthorized access to cluster resources. The CVSS v3.1 base score is 6.4, reflecting a network attack vector with low attack complexity, requiring privileges but no user interaction, and a scope change due to the potential for broader cluster compromise. No known exploits are currently reported in the wild. The issue is fixed in HAProxy Enterprise Kubernetes Ingress Controller versions 3.0.16-ee1, 1.11.13-ee1, and 1.9.15-ee1. Organizations running affected versions should update promptly and review RBAC policies to limit permissions to trusted users only.

For European organizations, this vulnerability poses a significant risk to Kubernetes cluster security, particularly those relying on HAProxy Kubernetes Ingress Controller for ingress management. Exposure of ingress token secrets can lead to unauthorized access to cluster resources, potentially allowing attackers to manipulate ingress traffic, intercept sensitive data, or escalate privileges within the cluster. This can disrupt business operations, compromise data confidentiality, and violate compliance requirements such as GDPR. Organizations with multi-tenant or hybrid cloud environments are especially vulnerable due to the potential lateral movement within clusters. The impact is heightened in sectors with critical infrastructure or sensitive data, including finance, healthcare, and government institutions. Given the widespread adoption of Kubernetes and HAProxy in Europe, failure to address this vulnerability could result in targeted attacks exploiting this vector to gain footholds in enterprise cloud environments.

1. Immediately upgrade to the fixed versions of HAProxy Enterprise Kubernetes Ingress Controller (3.0.16-ee1, 1.11.13-ee1, or 1.9.15-ee1) or later. 2. Disable the config-snippets feature flag if it is not essential to reduce the attack surface. 3. Enforce strict Role-Based Access Control (RBAC) policies to limit create/update permissions on ingress resources to trusted administrators only. 4. Implement monitoring and alerting for unusual ingress configuration changes or suspicious access patterns. 5. Conduct regular audits of ingress resource configurations to detect unauthorized snippets or anomalies. 6. Use network segmentation and Kubernetes network policies to limit exposure of ingress controllers. 7. Educate DevOps and security teams about the risks associated with config-snippets and the importance of least privilege principles. 8. Integrate vulnerability scanning and compliance checks into CI/CD pipelines to catch vulnerable versions before deployment.