Security Updates Released for Ingress NGINX Controller for Kubernetes
Five vulnerabilities discovered in Ingress NGINX Controller for Kubernetes could allow for takeover of a Kubernetes cluster
Summary
Five vulnerabilities discovered in Ingress NGINX Controller for Kubernetes could allow for takeover of a Kubernetes cluster
Affected platforms
The following platforms are known to be affected:
Threat details
Proof-of-Concept exploit released
A proof-of-concept (PoC) exploit has been released for
- CVE-2025-1974
- CVE-2025-1097
- CVE-2025-1098
- CVE-2025-24514
-
CVE-2025-24513
The NHS England National CSOC assess exploitation of these vulnerabilities as more likely.
Introduction
Five vulnerabilities have been discovered within the Ingress NGINX Controller for Kubernetes. NGINX Ingress Controller is a tool used in Kubernetes environments to manage and route external traffic to services within the cluster. Ingress Controller acts as a reverse proxy and load balancer, supporting various protocols like WebSocket, gRPC, TCP, and UDP, and also provides features such as content-based routing and TLS/SSL termination.
Vulnerability details
- CVE-2025-1974 - ingress-nginx admission controller RCE escalation
CVE-2025-1974 is a critical 'improper isolation or compartmentalisation' vulnerability with a CVSSv3 score of 9.8. An unauthenticated attacker with access to the pod network could execute arbitrary code within the ingress-nginx controller. As a result, an attacker could gain access to all cluster secrets across namespaces and control over the Kubernetes cluster.
- CVE-2025-1097, CVE-2025-1098 and CVE-2025-24514 - ingress-nginx controller configuration injection via unsanitised annotation
CVE-2025-1097, CVE-2025-1098 and CVE-2025-24514 are high 'improper input validation' vulnerabilities, all with CVSSv3 scores of 8.8. An attacker could exploit ingress annotations to inject arbitrary configuration into ingress-nginx controller. As a result, an attacker could perform arbitrary code execution (ACE) within the ingress-nginx controller and expose secrets accessible to the controller.
- CVE-2025-24513 - ingress-nginx controller auth secret file path traversal vulnerability
CVE-2025-24513 is a medium 'improper input validation' vulnerability with a CVSSv3 score of 4.8. An attacker could exploit the ingress-nginx admission controller feature to include attacker-provided data in a filename, leading to directory traversal within the container. This could result in denial-of-service (DOS), or when combined with other vulnerabilities, limited disclosure of secret objects from a Kubernetes cluster.
Threat updates
| Date | Update |
|---|---|
| 27 Mar 2025 | Corrected affected versions |
Remediation advice
Affected organisations are strongly encouraged to review the ingress-nginx patch release and apply the relevant updates as soon as practicable.
Organisations unable to apply the patches should follow the mitigation guidance below.
Remediation steps
| Type | Step |
|---|---|
| Patch |
Update to the latest version of ingress-nginx. https://github.com/kubernetes/website/blob/4763f1ccc2fd51c42d71d589094f5b1cbca3ed2c/content/en/blog/_posts/2025-03-24-ingress-nginx-CVE-2025-1974.md |
| Guidance |
Organisations unable to apply the relevant updates are encouraged to turn off the Validating Admission Controller feature of ingress-nginx using one of the following methods:
Note: Organisations that turn off the Validating Admission Controller feature as a mitigation for CVE-2025-1974, should remember to turn it back on after upgrade. This feature provides important quality of life improvements for your users, warning them about incorrect Ingress configurations before they can take effect. https://github.com/kubernetes/website/blob/4763f1ccc2fd51c42d71d589094f5b1cbca3ed2c/content/en/blog/_posts/2025-03-24-ingress-nginx-CVE-2025-1974.md |
Definitive source of threat updates
CVE Vulnerabilities
Last edited: 27 March 2025 1:51 pm