Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2025-1974
CVE-2025-1974:
Ingress NGINX Controller (community-driven) vulnerability analysis and mitigation
Wiz Research has uncovered a set of vulnerabilities—dubbed IngressNightmare—affecting the admission controller component of the Ingress NGINX Controller for Kubernetes (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-24513 and CVE-2025-1974). When chained together, exploitation of these vulnerabilities can lead to full takeover of the Kubernetes cluster, including unauthorized access to all Kubernetes secrets across namespaces. We recommend following the guidance in this advisory to identify any vulnerable clusters in your environment, and updating to a patched version or implementing a workaround if any affected clusters are identified.
Technical Details
Ingress NGINX’s admission controller validates incoming ingress objects by generating temporary NGINX configurations and running nginx -t. However, it lacks authentication and sanitization, allowing attackers to inject malicious ingress objects that contain arbitrary NGINX configuration directives. The injected configuration can execute code during the validation phase, effectively leading to RCE. Attackers can exploit annotation fields such as auth-url, auth-tls-match-cn, and even the ingress UID to insert malicious payloads, leveraging directives like ssl_engine to load attacker-controlled shared libraries.
The vulnerability chain is further amplified by a secondary abuse vector: uploading a shared library to the pod using NGINX’s client body buffering mechanism. By exploiting this behavior, attackers can persist the file in memory and trigger execution through nginx -t once the admission controller processes a malicious request. This results in remote code execution with elevated privileges, compromising the entire Kubernetes cluster.
Affected Products
Ingress NGINX Controller for Kubernetes, specifically:
Versions 1.12.0, prior to 1.12.1
Versions 1.11.0, prior to 1.11.5 Older versions are also impacted, but are not maintained and so did not receive a fix. Ingress-NGINX installations where the admission controller is publicly accessible or not properly restricted are most at risk.
Remediation and mitigation
It is recommended to patch to the latest Ingress NGINX Controller versions (1.12.1 or 1.11.5) to mitigate the vulnerabilities. In addition, it is advised to ensure the admission controller webhook endpoint is not exposed to the internet and only accessible by the Kubernetes API Server.
If patching is not immediately possible, apply the following mitigations:
Disable the admission controller if it’s unnecessary.
Enforce strict network policies to limit access to the controller.
References
Source: Wiz Research
CVE-2025-1974 related resources:
CVE-2025-1097
CVE-2025-1097: Ingress NGINX Controller (community-driven) vulnerability analysis and mitigation
CVE-2025-1098Ingress NGINX Controller (community-driven) vulnerability analysis and mitigation
CVE-2025-24514CVE-2025-24514: Ingress NGINX Controller (community-driven) vulnerability analysis and mitigation
CVE-2025-24513CVE-2025-24513: Ingress NGINX Controller (community-driven) vulnerability analysis and mitigation
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management