{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23742", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-15T15:45:01.958Z", "datePublished": "2026-01-16T20:07:46.746Z", "dateUpdated": "2026-01-16T20:24:12.702Z"}, "containers": {"cna": {"title": "Skipper arbitrary code execution through lua filters", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-250", "lang": "en", "description": "CWE-250: Execution with Unnecessary Privileges", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-522", "lang": "en", "description": "CWE-522: Insufficiently Protected Credentials", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/zalando/skipper/security/advisories/GHSA-cc8m-98fm-rc9g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/zalando/skipper/security/advisories/GHSA-cc8m-98fm-rc9g"}, {"name": "https://github.com/zalando/skipper/commit/0b52894570773b29e2f3c571b94b4211ef8fa714", "tags": ["x_refsource_MISC"], "url": "https://github.com/zalando/skipper/commit/0b52894570773b29e2f3c571b94b4211ef8fa714"}, {"name": "https://github.com/zalando/skipper/releases/tag/v0.23.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/zalando/skipper/releases/tag/v0.23.0"}], "affected": [{"vendor": "zalando", "product": "skipper", "versions": [{"version": "< 0.23.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-16T20:07:46.746Z"}, "descriptions": [{"lang": "en", "value": "Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The configuration inline allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs, they an read skipper secrets. This vulnerability is fixed in 0.23.0."}], "source": {"advisory": "GHSA-cc8m-98fm-rc9g", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-16T20:22:53.499072Z", "id": "CVE-2026-23742", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T20:24:12.702Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23742", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-16T20:22:53.499072Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T20:23:49.789Z"}}], "cna": {"title": "Skipper arbitrary code execution through lua filters", "source": {"advisory": "GHSA-cc8m-98fm-rc9g", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "zalando", "product": "skipper", "versions": [{"status": "affected", "version": "< 0.23.0"}]}], "references": [{"url": "https://github.com/zalando/skipper/security/advisories/GHSA-cc8m-98fm-rc9g", "name": "https://github.com/zalando/skipper/security/advisories/GHSA-cc8m-98fm-rc9g", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/zalando/skipper/commit/0b52894570773b29e2f3c571b94b4211ef8fa714", "name": "https://github.com/zalando/skipper/commit/0b52894570773b29e2f3c571b94b4211ef8fa714", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/zalando/skipper/releases/tag/v0.23.0", "name": "https://github.com/zalando/skipper/releases/tag/v0.23.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The configuration inline allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs, they an read skipper secrets. This vulnerability is fixed in 0.23.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-250", "description": "CWE-250: Execution with Unnecessary Privileges"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-522", "description": "CWE-522: Insufficiently Protected Credentials"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-16T20:07:46.746Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23742", "state": "PUBLISHED", "dateUpdated": "2026-01-16T20:24:12.702Z", "dateReserved": "2026-01-15T15:45:01.958Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-16T20:07:46.746Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zalando:skipper:*:*:*:*:*:*:*:*", "matchCriteriaId": "B0D14C02-AFA2-4DFF-BFE2-65B34B7B0F81", "versionEndExcluding": "0.23.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The configuration inline allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs, they an read skipper secrets. This vulnerability is fixed in 0.23.0."}], "id": "CVE-2026-23742", "lastModified": "2026-02-18T16:28:20.980", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-16T20:15:51.613", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/zalando/skipper/commit/0b52894570773b29e2f3c571b94b4211ef8fa714"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/zalando/skipper/releases/tag/v0.23.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "url": "https://github.com/zalando/skipper/security/advisories/GHSA-cc8m-98fm-rc9g"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-250"}, {"lang": "en", "value": "CWE-522"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T05:38:43.377151+00:00", "value": {"mitigation_remediation": ["Upgrade Skipper to version 0.23.0 or later.", "If an upgrade cannot be performed immediately, remove or disable the -lua-sources=inline option so that only file\u2011based Lua sources are allowed.", "Restrict the creation of Ingress resources or other configuration entry points to trusted administrators to prevent untrusted users from injecting Lua filters."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary Code Execution"}, "threat_synthesis": {"affected_systems": "Zalando Skipper, all releases prior to 0.23.0 that expose the -lua\u2011sources=inline option, such as deployments using the default configuration. The issue becomes exploitable when untrusted users can add Lua filters \u2014 for example through a Kubernetes Ingress that forwards arbitrary routing rules to the Skipper service.", "description_and_impact": "An attacker who can inject Lua scripts into Skipper\u2019s routing configuration can execute arbitrary code on the machine running the proxy. The vulnerability stems from the default configuration that allows inline Lua sources. Because the Lua runtime is granted the same filesystem permissions as the Skipper process, a crafted script can read any file the process can access, including Skipper\u2019s own secrets. This alone results in disclosure of sensitive information, and the same capability can be used to write or delete files, execute binaries or alter network behaviour. The weakness is represented by CWE\u2011250 (Privilege\u2011Increases), CWE\u201194 (Code Injection), and CWE\u2011522 (Insufficient Protection of Secrets).", "risk_and_exploitability": "The score of 8.8 on the CVSS metric labels this a high\u2011severity flaw. The EPSS value of less than 1\u202f% indicates a very low exploitation probability at present, and the vulnerability is not yet present in the CISA KEV catalog. Nonetheless, the fault allows local file read and potential arbitrary code execution if an attacker can supply Lua scripts. Since the attack requires creating or modifying a routing rule that contains Lua code, the vector is inferred to be either local or compromise of the configuration channel (e.g., a mis\u2011configured Ingress)."}}}}, "created": "2026-01-19T09:19:43.535713+00:00", "updated": "2026-04-18T05:45:38.172072+00:00", "vendors": ["zalando", "zalando$PRODUCT$skipper"]}