Ingress-nginx CVE-2025-1974 - Report and Mitigation Procedures
A critical security vulnerability (CVE-2025-1974) has been identified in the ingress-nginx controller, an essential component for network traffic management in Kubernetes. Here you will find the remediation plan for SIGHUP Kubernetes Distribution Open Source and Enterprise installations.
Original Blog Post
https://kubernetes.io/blog/2025/03/24/ingress-nginx-cve-2025-1974/
CVE Description
A critical security vulnerability (CVE-2025-1974) has been identified in the ingress-nginx controller, an essential component for network traffic management in Kubernetes clusters. This vulnerability allows potential attackers already present within the pod network to execute arbitrary code in the context of the ingress controller, potentially compromising the entire cluster and allowing unauthorized access to sensitive data such as Secrets.
The issue stems from a flaw in the validation mechanism that allows the injection of malicious configurations. All distributions from version 1.23.3 onwards are vulnerable.
Exposure Perimeter
It's important to emphasize that this vulnerability presents a concrete risk only in specific scenarios.
In particular, it can be exploited exclusively by:
- Applications already running within the cluster that can communicate with the ingress controller's validating webhook
- Technical personnel with privileged access to the control plane who can interact with the Ingress Controller
A reassuring aspect is that the validating webhook is not accessible from outside the cluster, significantly limiting the attack surface from the internet or external networks.
However, there is a particular case of exposure: if the pod network has been configured to be accessible from the corporate network (a non-standard configuration that requires specific modifications), users with access to that network could potentially exploit this vulnerability.
Immediate Mitigation Procedures
For nginx single configuration:
- Check the existing validating webhook with the following command:
kubectl get ValidatingWebhookConfiguration
and remove the nginx validating webhook with the following command:
kubectl delete ValidatingWebhookConfiguration ingress-nginx-admission
- Modify the daemonset configuration:
kubectl edit daemonset ingress-nginx-controller -n ingress-nginx
- Within the editor, locate the
spec.template.spec.containers.args
section and remove all parameters that begin with --validating-webhook*
For nginx dual configuration:
- Check the existing validating webhooks with the following command:
kubectl get ValidatingWebhookConfiguration
and remove both nginx validating webhooks:
kubectl delete ValidatingWebhookConfiguration ingress-nginx-admission-external ingress-nginx-admission-internal
- Modify each daemonset configuration:
kubectl edit daemonset ingress-nginx-controller-external -n ingress-nginx
and
kubectl edit daemonset ingress-nginx-controller-internal -n ingress-nginx
- In each editor, locate the
spec.template.spec.containers.args
section and remove all parameters that begin with --validating-webhook*
Roadmap for Final Resolution
We will soon release new versions of the Distribution with the definitive fix for this CVE:
- 1.31.1+
- 1.30.2+
- 1.29.7+
For customers with managed service support, all clusters will be automatically updated or will receive the necessary modifications to eliminate the vulnerability. For clusters with versions for which there is no direct upgrade path to the new releases, custom workarounds will be implemented to ensure protection.
