A critical security vulnerability (CVE-2025-1974) in Kubernetes’ ingress-nginx controller has been disclosed, allowing unauthenticated attackers with pod network access to execute arbitrary code and potentially compromise entire clusters. Rated 9.8 (CRITICAL) on the CVSS scale, this flaw affects approximately 40% of Kubernetes environments using the popular ingress-nginx component[1].
Technical Analysis
The vulnerability chain, collectively dubbed “IngressNightmare” by researchers[3], stems from improper handling of NGINX configuration parameters in the ingress-nginx admission controller. Under specific conditions, an attacker can inject malicious NGINX configuration via crafted Ingress objects, trigger arbitrary code execution in the controller’s context, and access all Secrets cluster-wide (by default). The core issue lies in the admission controller’s network accessibility and elevated privileges.
The vulnerability becomes particularly dangerous when combined with other ingress-nginx flaws (CVE-2025-24514, CVE-2025-1097, CVE-2025-1098) that allow configuration injection through various annotations. While full exploit details remain undisclosed, researchers demonstrated that attackers could upload malicious shared libraries and bypass Kubernetes API authentication entirely[3].
Affected Versions and Detection
The vulnerability impacts all ingress-nginx versions before v1.11.0, versions v1.11.0 through v1.11.4, and v1.12.0. Administrators can check for vulnerable deployments using kubectl commands and should monitor for unusual AdmissionReview requests, unexpected NGINX configuration changes, and suspicious Secret access patterns.
Remediation and Mitigation
Organizations should immediately upgrade to patched versions (v1.12.1, v1.11.5, or v1.10.7 for legacy support). For environments where immediate patching isn’t possible, disabling the admission controller provides effective mitigation without service disruption. Post-upgrade, consider disabling snippet annotations if unused and implementing network policies to isolate controller pods.
Security Implications
For security teams, this vulnerability provides a potent lateral movement vector in Kubernetes environments. Blue teams should prioritize patching and monitor for unexpected admission controller traffic, while threat intelligence analysts should watch for exploit development in underground forums and mass scanning for exposed admission controllers.
Conclusion
CVE-2025-1974 represents a severe threat to Kubernetes environments, particularly those using ingress-nginx in default configurations. The combination of remote code execution and privileged access to cluster Secrets creates a clear path to complete cluster compromise. Organizations should treat this as a critical patching priority given the large attack surface (41% of internet-facing clusters according to Wiz[4]).
