Ingress-nginx CVE-2025-1974: What You Need to Know

The ingress-nginx maintainers have released patches for critical vulnerabilities that could allow attackers to take over Kubernetes clusters. Ingress-nginx is a popular software-only ingress controller used in over 40% of Kubernetes clusters, translating Ingress object requirements into configuration for the nginx webserver daemon. Four of the patched vulnerabilities improve how ingress-nginx handles nginx configuration, preventing misbehavior and potential cluster takeover. The most serious vulnerability, CVE-2025-1974, allows anything on the Pod network to exploit configuration injection vulnerabilities via the Validating Admission Controller feature. This vulnerability is particularly serious as it can be exploited without credentials or administrative access. Patches for the vulnerabilities have been released in ingress-nginx v1.12.1 and v1.11.5. Users are advised to check if their clusters are using ingress-nginx and upgrade to the new patch release immediately. If an upgrade is not possible, turning off the Validating Admission Controller feature can significantly reduce the risk. The ingress-nginx maintainers and Kubernetes SRC members worked with security researchers to responsibly disclose and fix the vulnerabilities. Users are advised to take action immediately to protect their clusters and data.