Five critical and high-severity vulnerabilities disclosed on March 24, 2025, collectively dubbed “IngressNightmare,” affect the widely deployed Kubernetes NGINX Ingress Controller. The most severe, CVE-2025-1974, enables unauthenticated remote code execution (RCE) and unauthorized access to cluster secrets. If you run NGINX Ingress Controller, immediate assessment and patching are essential.
Goal
Understand the IngressNightmare vulnerabilities, assess your exposure, and apply the necessary mitigations or patches to protect your Kubernetes clusters.
Prerequisites
- Kubernetes cluster with NGINX Ingress Controller installed
- kubectl access to the cluster
- kubectl ingress-nginx plugin (optional but recommended)
- Administrative access to validate and patch controller deployments
The Vulnerabilities at a Glance
The five disclosed CVEs span multiple severity levels and attack vectors:
| CVE ID | Severity | Description |
|---|---|---|
| CVE-2025-1974 | Critical | Unauthenticated RCE via the Ingress NGINX Admission Controller; allows secret access |
| CVE-2025-1098 | High | Auth bypass in Ingress NGINX Admission Controller |
| CVE-2025-1097 | High | Additional auth bypass vector |
| CVE-2025-24514 | High | Input validation flaw leading to potential injection |
| CVE-2025-24513 | Medium | Information disclosure in Admission Controller |
Steps to Assess and Mitigate
Step 1: Confirm Your Controller Version
Check the running ingress-nginx controller image version:
kubectl get pods -n ingress-nginx -o jsonpath='{range .items[*]}{.spec.containers[0].image}{"
"}{end}'Vulnerable versions are prior to 1.12.1. If you see tags like v1.11.x, v1.10.x, or earlier, you are affected.
Step 2: Verify Admission Controller Exposure
The critical RCE (CVE-2025-1974) specifically targets the Admission Controller endpoint. Check if it is exposed:
kubectl get svc ingress-nginx-controller-admission -n ingress-nginx -o yaml | grep -A5 "ports:"If the Admission Controller service is reachable from untrusted networks, prioritize immediate patching.
Step 3: Apply the Patch
Upgrade to ingress-nginx controller version 1.12.1 or later. Using the official Helm chart:
# Update the Helm repo
helm repo update ingress-nginx
# Upgrade the controller
helm upgrade ingress-nginx ingress-nginx/ingress-nginx \n --namespace ingress-nginx \n --set controller.tag="v1.12.1"For static manifests, apply the updated deployment YAML from the official releases page.
Step 4: Verify the Fix
After upgrading, confirm the new version is running:
kubectl get pods -n ingress-nginx -o jsonpath='{range .items[*]}{.metadata.name}{" "}{.spec.containers[0].image}{"
"}{end}'Test ingress functionality to ensure no regression:
kubectl ingress-nginx statusCommon Pitfalls
- Forgetting custom annotations: If you use custom NGINX configuration snippets, verify they still work post-upgrade. Test in staging first.
- Network policy blocking Admission Controller: Some clusters use strict network policies. Ensure the Admission Controller webhook can still reach the API server after the update.
- Multiple controller instances: If you run multiple ingress-nginx controllers (e.g., internal vs. external), patch all of them. Do not assume one update covers all entry points.
- Third-party distribution lag: Managed Kubernetes providers (EKS, GKE, AKS) may not immediately have the patched version in their add-on catalog. Check their security bulletins and apply vendor-specific patches promptly.