- Vulnerable U
- Posts
- Critical Bugs In Ingress-NGINX Allow Kubernetes Cluster Takeover
Critical Bugs In Ingress-NGINX Allow Kubernetes Cluster Takeover
Researchers have disclosed a series of vulnerabilities in the ingress-nginx controller for Kubernetes that can enable an attacker to gain access to all of the secrets stored across all namespaces and take over a target Kubernetes cluster.
CVEs: CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-1974
Why It Matters: The flaws affect one of the more popular ingress controllers for Kubernetes and give an adversary the ability to take complete control of a Kubernetes cluster. The ingress-nginx controller is provided by the Kubernetes project and is used to validate incoming ingress objects before they are then deployed to a Kubernetes Pod. Researchers at Wiz, who discovered the vulnerabilities, identified more than 6,500 clusters that are exposing vulnerable controllers right now. The maintainers of the ingress-nginx controller have released updates to address the vulnerabilities today.
Key Details
Ingress is a Kubernetes feature that allows users to expose Kubernetes apps externally, and ingress controllers take incoming traffic and send it to the correct service
The ingress-nginx controller is a popular controller based on the NGINX reverse proxy and researchers at Wiz discovered five separate vulnerabilities that, when combined, can allow an adversary to take control of a vulnerable Kubernetes cluster
From the Wiz advisory: “When the Ingress-NGINX admission controller processes an incoming ingress object, it constructs an NGINX configuration from it and then validates it using the NGINX binary. Our team found a vulnerability in this phase that allows injecting an arbitrary NGINX configuration remotely, by sending a malicious ingress object directly to the admission controller through the network. During the configuration validation phase, the injected NGINX configuration causes the NGINX validator to execute code, allowing remote code execution (RCE) on the Ingress NGINX Controller’s pod.”
The most serious of the flaws is CVE-2025-1974. From the Kubernetes advisory: “CVE-2025-1974 means that anything on the Pod network has a good chance of taking over your Kubernetes cluster, with no credentials or administrative access required. In many common scenarios, the Pod network is accessible to all workloads in your cloud VPC, or even anyone connected to your corporate network! This is a very serious situation.”
The updated versions are 1.12.1 and 1.11.5
This set of vulnerabilities only affects ingress-nginx and not other ingress controllers. Users of vulnerable versions of the controller should update immediately. If it’s not possible to update right away, the Wiz researchers recommend the following mitigations: “Enforce strict network policies so only the Kubernetes API Server can access the admission controller. Temporarily disable the admission controller component of Ingress-NGINX if you cannot upgrade right away.”