greetings to all,
on March 24 a critical vulnerability CVE-2025-1974 came out, a patch was released for ingress-nginx which is used as a component on AKS clusters.
IngressNightmare: Ingress NGINX Remote Code Execution Vulnerability Explained
Background:
Ingress is a Kubernetes feature for exposing “pods” and applications to the outside world on the network.
Several ingress controllers exist to balance the workload.
Ingress-nginx ingress controllers is software-only and is popular for its ease of use and is implemented on 40% of Kubernetes Clusters.
The most serious CVE is the CVE-2025-1974 9.8 CVSS, it allows any user on the “pod” network to use the configuration injection vulnerability to put of the “Validating Admission” feature. in combination that with other vulnerabilities means that the “pod” network has a good chance of taking control of the Kubernetes cluster without the necessary administrative credentials.
- Affected version: All before v1.12.1 and v1.11.5
- Tacticsand Tecniques: Code Execution
CRITICAL-CVE-2025-1974| Kubernetes| CVSSv3 score: 9.8
An unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller under certain conditions.
CRITICAL-CVE-2025-1097| Kubernetes| CVSSv3 score: 8.8
The auth-tls-match-cnIngress annotation can be used to inject configuration into NGINX, resulting in arbitrary code execution in the context of the ingress-nginx controller and disclosure of secrets accessible to the controller.
CRITICAL-CVE-2025-1098| Kubernetes| CVSSv3 score: 8.8
The mirror-target and mirror-host Ingress annotations can be used to inject arbitrary configuration into NGINX, resulting in arbitrary code execution in the context of the ingress-nginx controller and disclosure of secrets accessible to the controller.
CRITICAL-CVE-2025-24514| Kubernetes| CVSSv3 score: 8.8
The auth-urlIngress annotation can be used to inject configuration into NGINX, resulting in arbitrary code execution in the context of the ingress-nginx controller and disclosure of secrets accessible to the controller
- The new version “ingress-nginx v1.12.1 and v1.11.5” has been released, which contain fixes for all five of these vulnerabilities.
Releases · kubernetes/ingress-nginx
- How to check for such a vulnerability
kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx- the fix is to update to the new patched version released by ingress-nginx:
Upgrade - Ingress-Nginx Controller
- If you cannot upgrade you can mitigate the vulnerability:
Enforce strict network policies so only the Kubernetes API server can access the admission controller.
If you used ingress-nginx using Helm reinstall by changing the parameter
“Helm controller.admissionWebhooks.enabled=false”
If, on the other hand, you manually installed ingress:
- delete the “ValidatingWebhookconfiguration” called “ingress-nginx-admission”
- Modify the deployment e\o Demonset of the ingress-nginx-controller by removing the “validating-webhook” from the controller container's.
cheers
