IngressNightmare: How New ingress-nginx Vulnerabilities Threaten Kubernetes Clusters

Hexagonal icon with an N inside on a pink gradient background with angular lines. Text: IngressNightmare: Admission Webhook Flaw Leading to Remote Code Execution (CVE-2025-1974).
Eliad Mualem, Upwind

By Eliad Mualem

Mar 25, 2025

Kubernetes administrators take note: a critical set of vulnerabilities in the popular ingress-nginx controller—collectively dubbed “IngressNightmare”—could put your entire cluster at risk. In particular, CVE-2025-1974, with a CVSS score of 9.8, allows attackers to take over Kubernetes clusters simply by exploiting the Validating Admission Controller feature. Because ingress-nginx runs in roughly 40% of Kubernetes deployments, this issue has the potential to impact a massive number of environments worldwide.

Affected Versions

The vulnerability affects the following versions of ingress-nginx:

  • Any release prior to < 1.11.0
  • Any release between 1.11.0 to 1.11.4
  • Any release prior to < 1.12.1

The Big Risk: Exposed Ingress Controllers

Ingress controllers are essential for directing external traffic into your Kubernetes Services and Pods. The ingress-nginx implementation is popular for its flexibility and for being a fully software-based solution that runs anywhere. Unfortunately, that reach and convenience also creates a massive risk:

  • Wide Attack Surface: If an attacker on the Pod network can abuse the ingress-nginx admission webhook, they could escalate to cluster-wide privileges—even if they do not have permission to create an Ingress object themselves.
  • Misconfiguration Danger: Because ingress-nginx has access to many Kubernetes Secrets for routing purposes, a maliciously crafted Ingress can trick the underlying nginx configuration into exposing or forwarding those credentials to unauthorized users.

If your cluster’s Pod network is accessible from internal corporate networks or even the public internet, you could be vulnerable to unauthenticated cluster compromises.

Technical Deep Dive: The CVEs

CVE-2025-1974

  • Severity: CVSS 9.8 (Critical)
  • What it Does: Exploits the ingress-nginx Validating Admission Controller to inject malicious configuration into nginx at admission time.
  • Why It’s Dangerous: Attackers no longer need the ability to create or modify Ingress objects themselves; they can instead manipulate admission requests via the network if the webhook is reachable. This can grant access to Secrets or allow code execution on ingress-nginx components, escalating privileges cluster-wide.

Other Related Vulnerabilities

  • CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098
     Each of these pertains to how ingress-nginx handles specific portions of nginx configuration. An attacker with the ability to create or modify Ingress objects could exploit these to leak the contents of Secrets or arbitrarily reroute traffic. Combined with CVE-2025-1974, these vulnerabilities become even more severe because the admission webhook can be tricked into applying malicious configuration without the usual security checks.

Root Cause

The underlying issue centers on ingress-nginx needing to translate Ingress rules into valid nginx config. Because it must allow users flexibility in configuring advanced routing, ingress-nginx is highly permissive. If the validation layer can be bypassed, an attacker can craft malicious directives that grant them undue access to cluster resources.

The Attack Path

  1. Discovering a Reachable Webhook
    • An attacker or malicious workload identifies that the ingress-nginx Validating Admission Controller is reachable on the Pod network. This service typically listens for admissions requests to check new or updated Ingress objects.
  2. Injecting Malicious Config
    • Using knowledge of how ingress-nginx’s admission webhook processes incoming requests, the attacker crafts a special payload. This payload tricks ingress-nginx into injecting dangerous nginx directives into the live configuration.
  3. Abusing Exposed Secrets / Gaining Privileges
    • Once the malicious configuration is injected:
      • The attacker may be able to read or exfiltrate Kubernetes Secrets if the ingress-nginx Pod or its service account has broad access.
      • They could also redirect traffic to rogue endpoints or escalate privileges to pivot into the Kubernetes control plane.
  4. Taking Over the Cluster
    • With newly obtained credentials or route manipulation, the attacker can create or modify additional workloads, eventually compromising the entire Kubernetes environment. In many real-world cluster configurations, obtaining cluster credentials or controlling the Ingress is nearly as powerful as having cluster-admin privileges.

What You Can Do Right Now

  1. Upgrade to a Patched Version
    • The ingress-nginx team has released patched versions v1.12.1 and v1.11.5.
    • If you rely on ingress-nginx, upgrade immediately.
  2. If you cannot patch right away, Disable the Validating Admission Controller Temporarily
    • Helm-based install: 
controller.admissionWebhooks.enabled=false

Copied

  • Manual install: Delete the ValidatingWebhookConfiguration named ingress-nginx-admission and remove the If you cannot patch right away argument from the controller Pod specification.
  • Note: Once patched, re-enable the admission webhook to regain important validation checks.


How Upwind Protects Against This Threat

Upwind’s Runtime Security is designed to detect and flag malicious requests attempting to exploit vulnerabilities.

Our platform offers the following capabilities:

  • Find all of your Nginx ingress controllers in the affected versions within seconds in the Upwind SBOM Explorer.
  • Prioritize the list of resources to be patched using the Runtime exploit funnel
  • Live API Traffic Monitoring. Continuously monitors API traffic to detect exploitation attempts.
  • AI-based Anomaly Detection. Utilizes advanced AI algorithms to identify abnormal request patterns.
  • Real-Time Alerts. Notifies security teams immediately to prevent active attacks.
  • Exposure Overview. Offers a detailed overview of resources running vulnerable Next.js versions, enabling teams to quickly evaluate and address potential risks.

Learn More

By leveraging Upwind’s runtime security, organizations gain enhanced visibility into exploitation attempts, allowing them to dynamically protect their applications. To learn more about how Upwind protects against vulnerabilities, schedule a demo.

IngressNightmare: How New ingress-nginx Vulnerabilities Threaten Kubernetes Clusters

Further Reading

Blue and red gradient lines curve upward against a light blue background, intersected by orange circles. The word upwind with an underlined u appears in the upper left corner.
Research

Unpacking the Security Risks of Model Context Protocol (MCP) Servers

Screenshot 2024-09-25 at 9.12.26 AM Eliad Mualem, Upwind Moshe Hassan Upwind

By Avital Harel, Eliad Mualem & Moshe Hassan

Apr 18, 2025

Modern AI systems, especially large language models (LLMs), are no longer isolated engines responding to static inputs. They’re evolving into intelligent agents, copilots, and autonomous systems that interact with their environment, reason over external data, and adapt in real time. But there’s a fundamental problem: LLMs are powerful, but they don’t know anything outside of […]

A white warning icon with an exclamation mark is centered on a bright pink, patterned background. Below it, text reads: CVE-2025-32433: Critical Erlang/OTP SSH Vulnerability (CVSS 10).
Research

CVE-2025-32433: Critical Erlang/OTP SSH Vulnerability (CVSS 10)

Eliad Mualem, Upwind

By Eliad Mualem

Apr 17, 2025

On April 16, 2025, a critical remote code execution (RCE) vulnerability in Erlang’s SSH library was publicly disclosed. Tracked as CVE-2025-32433, this vulnerability received the maximum possible CVSS score of 10.0, signaling how severe and exploitable it is, especially in environments relying on Erlang/OTP for SSH access. Overview What is CVE-2025-32433? Discovered by researchers at […]

A pink background with concentric circles and a white bug icon in the center. Text reads, Next.js Middleware Authentication Bypass Vulnerability (CVE-2025-29927). Upwind logo in the top right corner.
Research

Next.js Middleware Authentication Bypass Vulnerability (CVE-2025-29927)

Eliad Mualem, Upwind

By Eliad Mualem

Mar 24, 2025

Next.js middleware plays a key role in securing applications by enforcing authentication, managing access control, and applying security headers. However, a newly discovered vulnerability, CVE-2025-29927, allows attackers to bypass these protections entirely using a manipulated HTTP header. Affected Versions This flaw affects the following versions: The Core Issue Next.js prevents infinite middleware loops by tracking […]

Stay in touch

Product

CNAPP
Vulnerability Management
CSPM
Container Security
CWPP
CDR
API Security
Identity Security

General

About
Contact
Careers
Feed
Events
Case Studies
Get A Demo
Glossary

Social

Twitter
LinkedIn
Facebook

Resources

Documentation

Privacy Policy
Terms of Use

© 2025, Upwind Security