Critical Ingress NGINX Controller vulnerability
Kubernetes have patched a set of five critical vulnerabilities for their "Ingress NGINX Controller for Kubernetes" – the most serious, designated CVE-2025-1974, has a rating of 9,8, and allows anything on the Pod network to exploit configuration injection vulnerabilities via the Validating Admission Controller feature of ingress-nginx.
Combined with the other four vulnerabilities,
the attacker has a good chance of taking over the Kubernetes cluster without any credentials or administrative access.
As ingress-nginx is a popular ingress controller provided by Kubernetes themselves, versatile and easy to use,
it is deployed in over 40 percent of the Kubernetes clusters – that means there is a likelihood that you have one if you're using Kubernetes.
What to do?
First, take a deep breath.
Then, check if your clusters are using ingress-nginx; it can usually be done by running the following command (you have to have admin permission):
kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginxIf you're running anything but versions v1.12.1 and v1.11.5 it is time to start patching.
The easies way is to upgrade to the new patch release of ingress-nginx.
If for some reason you can't patch straight away, you can reduce the risk by turning off the Validating Admission Controller feature of ingress-nginx (don't forget to turn it back on once you patch).
If you have installed ingress-nginx using Helm then reinstall, setting the Helm value to:
controller.admissionWebhooks.enabled=falseIf you have installed ingress-nginx manually, delete the ValidatingWebhookconfiguration called
ingress-nginx-admissionedit the
ingress-nginx-controller Deployment or Daemonset, removing
--validating-webhook from the controller container’s argument list
Here time really is of the essence. Good luck all.
