Kubernetes administrators take note: a critical set of vulnerabilities in the popular ingress-nginx controller—collectively dubbed “IngressNightmare”—could put your entire cluster at risk. In particular, CVE-2025-1974, with a CVSS score of 9.8, allows attackers to take over Kubernetes clusters simply by exploiting the Validating Admission Controller feature. Because ingress-nginx runs in roughly 40% of Kubernetes deployments, this issue has the potential to impact a massive number of environments worldwide.
Affected Versions
The vulnerability affects the following versions of ingress-nginx:
- Any release prior to <
1.11.0 - Any release between
1.11.0to1.11.4 - Any release prior to <
1.12.1
The Big Risk: Exposed Ingress Controllers
Ingress controllers are essential for directing external traffic into your Kubernetes Services and Pods. The ingress-nginx implementation is popular for its flexibility and for being a fully software-based solution that runs anywhere. Unfortunately, that reach and convenience also creates a massive risk:
- Wide Attack Surface: If an attacker on the Pod network can abuse the ingress-nginx admission webhook, they could escalate to cluster-wide privileges—even if they do not have permission to create an Ingress object themselves.
- Misconfiguration Danger: Because ingress-nginx has access to many Kubernetes Secrets for routing purposes, a maliciously crafted Ingress can trick the underlying nginx configuration into exposing or forwarding those credentials to unauthorized users.
If your cluster’s Pod network is accessible from internal corporate networks or even the public internet, you could be vulnerable to unauthenticated cluster compromises.
Technical Deep Dive: The CVEs
CVE-2025-1974
- Severity: CVSS
9.8(Critical) - What it Does: Exploits the ingress-nginx Validating Admission Controller to inject malicious configuration into nginx at admission time.
- Why It’s Dangerous: Attackers no longer need the ability to create or modify Ingress objects themselves; they can instead manipulate admission requests via the network if the webhook is reachable. This can grant access to Secrets or allow code execution on ingress-nginx components, escalating privileges cluster-wide.
Other Related Vulnerabilities
- CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098
Each of these pertains to how ingress-nginx handles specific portions of nginx configuration. An attacker with the ability to create or modify Ingress objects could exploit these to leak the contents of Secrets or arbitrarily reroute traffic. Combined with CVE-2025-1974, these vulnerabilities become even more severe because the admission webhook can be tricked into applying malicious configuration without the usual security checks.
Root Cause
The underlying issue centers on ingress-nginx needing to translate Ingress rules into valid nginx config. Because it must allow users flexibility in configuring advanced routing, ingress-nginx is highly permissive. If the validation layer can be bypassed, an attacker can craft malicious directives that grant them undue access to cluster resources.
The Attack Path
- Discovering a Reachable Webhook
- An attacker or malicious workload identifies that the ingress-nginx Validating Admission Controller is reachable on the Pod network. This service typically listens for admissions requests to check new or updated Ingress objects.
- An attacker or malicious workload identifies that the ingress-nginx Validating Admission Controller is reachable on the Pod network. This service typically listens for admissions requests to check new or updated Ingress objects.
- Injecting Malicious Config
- Using knowledge of how ingress-nginx’s admission webhook processes incoming requests, the attacker crafts a special payload. This payload tricks ingress-nginx into injecting dangerous nginx directives into the live configuration.
- Using knowledge of how ingress-nginx’s admission webhook processes incoming requests, the attacker crafts a special payload. This payload tricks ingress-nginx into injecting dangerous nginx directives into the live configuration.
- Abusing Exposed Secrets / Gaining Privileges
- Once the malicious configuration is injected:
- The attacker may be able to read or exfiltrate Kubernetes Secrets if the ingress-nginx Pod or its service account has broad access.
- They could also redirect traffic to rogue endpoints or escalate privileges to pivot into the Kubernetes control plane.
- The attacker may be able to read or exfiltrate Kubernetes Secrets if the ingress-nginx Pod or its service account has broad access.
- Once the malicious configuration is injected:
- Taking Over the Cluster
- With newly obtained credentials or route manipulation, the attacker can create or modify additional workloads, eventually compromising the entire Kubernetes environment. In many real-world cluster configurations, obtaining cluster credentials or controlling the Ingress is nearly as powerful as having cluster-admin privileges.
What You Can Do Right Now
- Upgrade to a Patched Version
- The ingress-nginx team has released patched versions
v1.12.1andv1.11.5. - If you rely on ingress-nginx, upgrade immediately.
- The ingress-nginx team has released patched versions
- If you cannot patch right away, Disable the Validating Admission Controller Temporarily
- Helm-based install:
controller.admissionWebhooks.enabled=falseCopied
- Manual install: Delete the
ValidatingWebhookConfigurationnamedingress-nginx-admissionand remove the If you cannot patch right away argument from the controller Pod specification.
- Note: Once patched, re-enable the admission webhook to regain important validation checks.
How Upwind Protects Against This Threat
Upwind’s Runtime Security is designed to detect and flag malicious requests attempting to exploit vulnerabilities.
Our platform offers the following capabilities:
- Find all of your Nginx ingress controllers in the affected versions within seconds in the Upwind SBOM Explorer.
- Prioritize the list of resources to be patched using the Runtime exploit funnel
- Live API Traffic Monitoring. Continuously monitors API traffic to detect exploitation attempts.
- AI-based Anomaly Detection. Utilizes advanced AI algorithms to identify abnormal request patterns.
- Real-Time Alerts. Notifies security teams immediately to prevent active attacks.
- Exposure Overview. Offers a detailed overview of resources running vulnerable Next.js versions, enabling teams to quickly evaluate and address potential risks.
Learn More
By leveraging Upwind’s runtime security, organizations gain enhanced visibility into exploitation attempts, allowing them to dynamically protect their applications. To learn more about how Upwind protects against vulnerabilities, schedule a demo.
