Five vulnerabilities have been discovered within the Ingress NGINX Controller for Kubernetes on the 24th of March 2025. NGINX Ingress Controller is a tool used in CE Kubernetes environments to manage and route external traffic to services within the cluster. Ingress Controller acts as a reverse proxy and load balancer, supporting various protocols like HTTP, WebSocket, GRPC, TCP, and UDP, and also provides features such as content-based routing and TLS/SSL termination.
Vulnerability details
- CVE-2025-1974 - ingress-nginx admission controller RCE escalation
CVE-2025-1974 is a critical 'improper isolation or compartmentalisation' vulnerability with a CVSSv3 score of 9.8. An unauthenticated attacker with access to the pod network could execute arbitrary code within the ingress-nginx controller. As a result, an attacker could gain access to all cluster secrets across namespaces and control over the Kubernetes cluster.
CE clusters are not affected by this vulnerability as the Validating Admission Controller feature, that is the source of the vulnerability, is already disabled. - CVE-2025-1097, CVE-2025-1098 and CVE-2025-24514 - ingress-nginx controller configuration injection via un-sanitised annotation
CVE-2025-1097, CVE-2025-1098 and CVE-2025-24514 are high 'improper input validation' vulnerabilities, all with CVSSv3 scores of 8.8. An attacker could exploit ingress annotations to inject arbitrary configuration into ingress-nginx controller. As a result, an attacker could perform arbitrary code execution (ACE) within the ingress-nginx controller and expose secrets accessible to the controller.
CE clusters are affected by this vulnerability which could allow an insider with kubectl access to the cluster to gain additional privileges. - CVE-2025-24513 - ingress-nginx controller auth secret file path traversal vulnerability
CVE-2025-24513 is a medium 'improper input validation' vulnerability with a CVSSv3 score of 4.8. An attacker could exploit the ingress-nginx admission controller feature to include attacker-provided data in a filename, leading to directory traversal within the container. This could result in denial-of-service (DOS), or when combined with other vulnerabilities, limited disclosure of secret objects from a Kubernetes cluster.
CE clusters are not affected by this vulnerability as the Validating Admission Controller feature, that is the source of the vulnerability, is already disabled.
Mitigation
The fix for these vulnerabilities is to deploy a patch version of the Ingress NGINX Controller (v1.12.1) and this will be included in the up-coming 6.8.6 and 6.9.0 releases. However, this fixed version contains breaking changes which requires all ingress resources to be updated for them to continue to work. And since the ingress controller is a global / cluster-level component, this means that all tenants need to update to 6.8.6 or to 6.9.0 or later before the fix can be deployed. The majority of CE customers are already on the latest version of CE and have automatic updates enabled, so they will have the necessary ingress re-configuration applied. For the customers who have disabled automatic updates on their tenants, IFS will allow a grace period, up to the 30th of May, for the updates to be requested and tested. After the grace period expires, any tenant running an older/incompatible version of CE will be automatically upgraded so that it can continue to function after the fix is applied.