This page lists publicly disclosed CVE vulnerabilities affecting zalando skipper (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-24470 | Skipper is an HTTP router and reverse proxy for service composition. Prior to version 0.24.0, when running Skipper as an Ingress controller, users with permissions to create an Ingress and a Service of type ExternalName can create routes that enable them to use Skipper's network access to reach internal services. Version 0.24.0 disables Kubernetes ExternalName by default. As a workaround, developers can allow list targets of an ExternalName and allow list via regular expressions. | [email protected] | 8.1 | 0.02% | 2026-01-26 | 2026-02-18 |
| CVE-2026-23742 | Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The configuration inline allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs, they an read skipper secrets. | [email protected] | 8.8 | 0.02% | 2026-01-16 | 2026-02-18 |
| CVE-2022-38580 | Zalando Skipper v0.13.236 is vulnerable to Server-Side Request Forgery (SSRF). | [email protected] | 9.8 | 42.25% | 2022-10-25 | 2025-05-07 |
| CVE-2022-34296 | In Zalando Skipper before 0.13.218, a query predicate could be bypassed via a prepared request. | [email protected] | 7.5 | 0.18% | 2022-06-23 | 2024-11-21 |