High severityOSV Advisory· Published Jan 16, 2026· Updated Jan 16, 2026
Skipper arbitrary code execution through lua filters
CVE-2026-23742
Description
Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The configuration inline allows these user to create a script that is able to read the filesystem accessible to the skipper process and if the user has access to read the logs, they an read skipper secrets. This vulnerability is fixed in 0.23.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/zalando/skipperGo | < 0.23.0 | 0.23.0 |
Affected products
1Patches
10b5289457077security: disable lua scripting by default (#3830)
4 files changed · +20 −9
config/config.go+3 −0 modified@@ -315,6 +315,7 @@ type Config struct { ClusterRatelimitMaxGroupShards int `yaml:"cluster-ratelimit-max-group-shards"` + EnableLua bool `yaml:"enable-lua"` LuaModules *listFlag `yaml:"lua-modules"` LuaSources *listFlag `yaml:"lua-sources"` @@ -654,6 +655,7 @@ func NewConfig() *Config { flag.IntVar(&cfg.ClusterRatelimitMaxGroupShards, "cluster-ratelimit-max-group-shards", 1, "sets the maximum number of group shards for the clusterRatelimit filter") + flag.BoolVar(&cfg.EnableLua, "enable-lua", false, "enable the Lua scripting engine to be able to use the lua() filter") flag.Var(cfg.LuaModules, "lua-modules", "comma separated list of lua filter modules. Use <module>.<symbol> to selectively enable module symbols, for example: package,base._G,base.print,json") flag.Var(cfg.LuaSources, "lua-sources", `comma separated list of lua input types for the lua() filter. Valid sources "", "file", "inline", "file,inline" and "none". Use "file" to only allow lua file references in lua filter. Default "" is the same as "file","inline". Use "none" to disable lua filters.`) @@ -1054,6 +1056,7 @@ func (c *Config) ToOptions() skipper.Options { ClusterRatelimitMaxGroupShards: c.ClusterRatelimitMaxGroupShards, + EnableLua: c.EnableLua, LuaModules: c.LuaModules.values, LuaSources: c.LuaSources.values,
config/config_test.go+1 −0 modified@@ -169,6 +169,7 @@ func defaultConfig(with func(*Config)) *Config { ClusterRatelimitMaxGroupShards: 1, ValidateQuery: true, ValidateQueryLog: true, + EnableLua: false, LuaModules: commaListFlag(), LuaSources: commaListFlag(), OpenPolicyAgentCleanerInterval: openpolicyagent.DefaultCleanIdlePeriod,
skipper.go+15 −8 modified@@ -990,6 +990,11 @@ type Options struct { // KubernetesEnableTLS enables kubernetes to use resources to terminate tls KubernetesEnableTLS bool + // EnableLua allows to use lua() filters, if not enabled + // skipper does not support Lua, because of security + // considerations. + EnableLua bool + // LuaModules that are allowed to be used. // // Use <module>.<symbol> to selectively enable module symbols, @@ -2045,15 +2050,17 @@ func run(o Options, sig chan os.Signal, idleConnsCH chan struct{}) error { o.CustomFilters = append(o.CustomFilters, compress) } - lua, err := script.NewLuaScriptWithOptions(script.LuaOptions{ - Modules: o.LuaModules, - Sources: o.LuaSources, - }) - if err != nil { - log.Errorf("Failed to create lua filter: %v.", err) - return err + if o.EnableLua { + lua, err := script.NewLuaScriptWithOptions(script.LuaOptions{ + Modules: o.LuaModules, + Sources: o.LuaSources, + }) + if err != nil { + log.Errorf("Failed to create lua filter: %v.", err) + return err + } + o.CustomFilters = append(o.CustomFilters, lua) } - o.CustomFilters = append(o.CustomFilters, lua) // create routing // create the proxy instance
VERSION+1 −1 modified@@ -1 +1 @@ -v0.22 +v0.23
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-cc8m-98fm-rc9gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-23742ghsaADVISORY
- github.com/zalando/skipper/commit/0b52894570773b29e2f3c571b94b4211ef8fa714ghsax_refsource_MISCWEB
- github.com/zalando/skipper/releases/tag/v0.23.0ghsax_refsource_MISCWEB
- github.com/zalando/skipper/security/advisories/GHSA-cc8m-98fm-rc9gghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.