Kubernetes administrators take note: a critical set of vulnerabilities in the popular ingress-nginx controller—collectively dubbed “IngressNightmare”—could put your entire cluster at risk. In particular, CVE-2025-1974, with a CVSS score of 9.8, allows attackers to take over Kubernetes clusters simply by exploiting the Validating Admission Controller feature. Because ingress-nginx runs in roughly 40% of Kubernetes deployments, this issue has the potential to impact a massive number of environments worldwide.

Affected Versions

The vulnerability affects the following versions of ingress-nginx:

  • Any release prior to < 1.11.0
  • Any release between 1.11.0 to 1.11.4
  • Any release prior to < 1.12.1

The Big Risk: Exposed Ingress Controllers

Ingress controllers are essential for directing external traffic into your Kubernetes Services and Pods. The ingress-nginx implementation is popular for its flexibility and for being a fully software-based solution that runs anywhere. Unfortunately, that reach and convenience also creates a massive risk:

  • Wide Attack Surface: If an attacker on the Pod network can abuse the ingress-nginx admission webhook, they could escalate to cluster-wide privileges—even if they do not have permission to create an Ingress object themselves.
  • Misconfiguration Danger: Because ingress-nginx has access to many Kubernetes Secrets for routing purposes, a maliciously crafted Ingress can trick the underlying nginx configuration into exposing or forwarding those credentials to unauthorized users.

If your cluster’s Pod network is accessible from internal corporate networks or even the public internet, you could be vulnerable to unauthenticated cluster compromises.

Technical Deep Dive: The CVEs

CVE-2025-1974

  • Severity: CVSS 9.8 (Critical)
  • What it Does: Exploits the ingress-nginx Validating Admission Controller to inject malicious configuration into nginx at admission time.
  • Why It’s Dangerous: Attackers no longer need the ability to create or modify Ingress objects themselves; they can instead manipulate admission requests via the network if the webhook is reachable. This can grant access to Secrets or allow code execution on ingress-nginx components, escalating privileges cluster-wide.

Other Related Vulnerabilities

  • CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098
    Each of these pertains to how ingress-nginx handles specific portions of nginx configuration. An attacker with the ability to create or modify Ingress objects could exploit these to leak the contents of Secrets or arbitrarily reroute traffic. Combined with CVE-2025-1974, these vulnerabilities become even more severe because the admission webhook can be tricked into applying malicious configuration without the usual security checks.

Root Cause

The underlying issue centers on ingress-nginx needing to translate Ingress rules into valid nginx config. Because it must allow users flexibility in configuring advanced routing, ingress-nginx is highly permissive. If the validation layer can be bypassed, an attacker can craft malicious directives that grant them undue access to cluster resources.

The Attack Path

  1. Discovering a Reachable Webhook
    • An attacker or malicious workload identifies that the ingress-nginx Validating Admission Controller is reachable on the Pod network. This service typically listens for admissions requests to check new or updated Ingress objects.
  2. Injecting Malicious Config
    • Using knowledge of how ingress-nginx’s admission webhook processes incoming requests, the attacker crafts a special payload. This payload tricks ingress-nginx into injecting dangerous nginx directives into the live configuration.
  3. Abusing Exposed Secrets / Gaining Privileges
    • Once the malicious configuration is injected:
      • The attacker may be able to read or exfiltrate Kubernetes Secrets if the ingress-nginx Pod or its service account has broad access.
      • They could also redirect traffic to rogue endpoints or escalate privileges to pivot into the Kubernetes control plane.
  4. Taking Over the Cluster
    • With newly obtained credentials or route manipulation, the attacker can create or modify additional workloads, eventually compromising the entire Kubernetes environment. In many real-world cluster configurations, obtaining cluster credentials or controlling the Ingress is nearly as powerful as having cluster-admin privileges.

What You Can Do Right Now

  1. Upgrade to a Patched Version
    • The ingress-nginx team has released patched versions v1.12.1 and v1.11.5.
    • If you rely on ingress-nginx, upgrade immediately.
  2. If you cannot patch right away, Disable the Validating Admission Controller Temporarily
    • Helm-based install:
controller.admissionWebhooks.enabled=false

Copied

  • Manual install: Delete the ValidatingWebhookConfiguration named ingress-nginx-admission and remove the If you cannot patch right away argument from the controller Pod specification.
  • Note: Once patched, re-enable the admission webhook to regain important validation checks.


How Upwind Protects Against This Threat

Upwind’s Runtime Security is designed to detect and flag malicious requests attempting to exploit vulnerabilities.

Our platform offers the following capabilities:

  • Find all of your Nginx ingress controllers in the affected versions within seconds in the Upwind SBOM Explorer.
  • Prioritize the list of resources to be patched using the Runtime exploit funnel
  • Live API Traffic Monitoring. Continuously monitors API traffic to detect exploitation attempts.
  • AI-based Anomaly Detection. Utilizes advanced AI algorithms to identify abnormal request patterns.
  • Real-Time Alerts. Notifies security teams immediately to prevent active attacks.
  • Exposure Overview. Offers a detailed overview of resources running vulnerable Next.js versions, enabling teams to quickly evaluate and address potential risks.

Learn More

By leveraging Upwind’s runtime security, organizations gain enhanced visibility into exploitation attempts, allowing them to dynamically protect their applications. To learn more about how Upwind protects against vulnerabilities, schedule a demo.