When NGINX Plus is used as the data plane for NGINX Gateway Fabric, the configuration generator component improperly neutralizes special elements in user-supplied strings from the NginxProxy serverTokens field and the AuthenticationFilter extraAuthArgs field. These values are injected directly into NGINX configuration templates without sanitization, allowing an authenticated attacker with permission to create or modify these Custom Resource Definitions to inject arbitrary NGINX configuration directives. This is a control plane vulnerability with no direct data plane exposure. The affected version explicitly identified is 2.5.0. No official patch or remediation level has been published yet.

An authenticated attacker with permission to modify specific Custom Resource Definitions can inject arbitrary NGINX configuration directives, potentially leading to control over the NGINX configuration and impacting confidentiality and integrity of the system. The vulnerability does not directly expose the data plane, and availability impact is not indicated. The CVSS score is 8.1 (high severity), reflecting network attack vector, low attack complexity, required privileges, no user interaction, and high impact on confidentiality and integrity.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict permissions to create or modify the affected Custom Resource Definitions (NginxProxy serverTokens and AuthenticationFilter extraAuthArgs fields) to trusted administrators only to reduce the risk of exploitation.