Member-only story
Critical Vulnerabilities in Ingress-Nginx Controller for Kubernetes
Overview
Recent security research has uncovered multiple critical vulnerabilities in the widely used Ingress-Nginx controller for Kubernetes. These flaws, present in versions up to and including 1.12.0 and 1.11.4, allow unauthenticated remote code execution (RCE). Given that Ingress-Nginx is a key component for handling traffic within Kubernetes clusters, this issue poses a significant risk to cloud-native environments.
The Risk at Hand
Attackers can exploit these vulnerabilities through the default webhook service exposed by Ingress-Nginx. This webhook, typically available on TCP port 8443, is accessible to pods within the cluster. A malicious actor with network access can craft HTTP requests to trigger remote code execution, potentially gaining control over affected Kubernetes environments.
The identified CVEs associated with this issue include:
- CVE-2025–1097
- CVE-2025–1098
- CVE-2025–24513
- CVE-2025–24514
- CVE-2025–1974 (the most severe, with a CVSS score of 9.8)
Further details and vendor advisories can be found here:
Note: This vulnerability affects the Ingress-Nginx Controller, not the NGINX Ingress Controller — a common point of confusion.
How to Check if Your Cluster is Affected
Ingress-Nginx versions 1.12.0 and 1.11.4 and below are vulnerable.
To verify if your cluster is affected, check for the presence of the vulnerable webhook service:
kubectl get ValidatingWebhookConfiguration -AIf this command returns a configuration and your Ingress-Nginx version is within the affected range, your cluster is at risk.
Recommended Mitigation Steps
Immediate Action: Upgrade Ingress-Nginx
The best course of action is to update Ingress-Nginx to a patched version:
