Kubernetes ingress-nginx RCE Vulnerability Explained (CVE-2025-1974)

Overview

A critical security vulnerability was identified in Kubernetes ingress-nginx that could allow an unauthenticated attacker to perform Remote Code Execution (RCE) within the ingress-nginx controller pod.

This vulnerability is tracked as:

• CVE-2025-1974

• CVSS Score: 9.8 (Critical)

The issue affects clusters running vulnerable versions of ingress-nginx and may lead to unauthorized access to Kubernetes Secrets and cluster resources.

What is CVE-2025-1974?

CVE-2025-1974 is a critical vulnerability in the ingress-nginx admission controller component.

Under certain conditions, an attacker with access to the pod network can exploit the admission controller and execute arbitrary code inside the ingress-nginx controller context.

Since ingress-nginx controllers commonly have access to cluster-wide Secrets, successful exploitation may result in:

• Exposure of Kubernetes Secrets

• Unauthorized access to internal services

• Privilege escalation

• Lateral movement within the cluster

• Full cluster compromise in severe cases

Why This Vulnerability Is Dangerous

The vulnerability requires no authentication and can be exploited remotely from within the pod network.

The ingress-nginx controller is a high-privileged component in many Kubernetes environments. If compromised, attackers may gain access to sensitive configurations, credentials, and workloads running across the cluster.

This makes the vulnerability highly critical for production Kubernetes environments.

Severity Details

MetricValueCVE IDCVE-2025-1974SeverityCriticalCVSS Score9.8Attack VectorNetworkPrivileges RequiredNoneUser InteractionNone

Affected Versions

The following ingress-nginx versions are vulnerable:

• Versions earlier than v1.11.0

• v1.11.0 to v1.11.4

• v1.12.0

How to Check if Your Cluster Is Vulnerable

Run the following command to verify whether ingress-nginx is installed in the cluster:

kubectl get pods --all-namespaces \
--selector app.kubernetes.io/name=ingress-nginx

To check the running ingress-nginx controller version:

kubectl describe deployment ingress-nginx-controller -n ingress-nginx

or

kubectl get pods -n ingress-nginx -o wide

Root Cause

The issue originates from improper handling of admission review requests in the ingress-nginx admission controller.

An attacker capable of reaching the admission webhook endpoint may exploit the vulnerability to inject malicious payloads and achieve remote code execution.

Remediation Steps

Option 1: Upgrade ingress-nginx (Recommended)

Upgrade ingress-nginx to one of the fixed versions:

• v1.11.5

• v1.12.1

Example Helm upgrade:

helm upgrade ingress-nginx ingress-nginx/ingress-nginx \
--namespace ingress-nginx \
--set controller.image.tag=v1.12.1

Option 2: Disable Admission Webhooks

If immediate upgrade is not possible, disable the admission controller webhooks.

Using Helm:

helm upgrade ingress-nginx ingress-nginx/ingress-nginx \
--namespace ingress-nginx \
--set controller.admissionWebhooks.enabled=false

Note: Disabling admission webhooks may impact ingress validation functionality.

Validation Steps

After remediation, verify the deployed version:

kubectl get deployment -n ingress-nginx ingress-nginx-controller \
-o=jsonpath='{.spec.template.spec.containers[0].image}'

To verify webhook configurations:

kubectl get validatingwebhookconfigurations

Security Best Practices

To reduce the risk of similar vulnerabilities:

• Keep ingress-nginx updated to the latest stable release

• Restrict pod-to-pod communication using Kubernetes Network Policies

• Limit RBAC permissions for ingress controllers

• Enable centralized logging and monitoring

• Regularly scan Kubernetes environments for vulnerabilities

• Follow Kubernetes and ingress-nginx security advisories proactively

Key Takeaways

• CVE-2025-1974 is a critical Kubernetes ingress-nginx vulnerability with a CVSS score of 9.8

• Vulnerable ingress-nginx versions can allow remote code execution

• Upgrading to patched versions is strongly recommended

• Kubernetes ingress controllers should always be secured and regularly updated

• Continuous vulnerability monitoring is essential for production clusters

Final Thoughts

Security vulnerabilities in Kubernetes components can have serious consequences, especially when they affect high-privileged services like ingress controllers.

Regular patch management, proactive monitoring, and following Kubernetes security best practices are essential to maintaining a secure and resilient cloud-native environment.