CVE-2025-1974 is a critical security vulnerability identified in Kubernetes’ ingress-nginx controller. Under certain conditions, an unauthenticated attacker with access to the pod network can execute arbitrary code within the ingress-nginx controller’s context. This exploitation may lead to the disclosure of secrets accessible to the controller, which, in default installations, includes all cluster-wide secrets.
Affected Kubernetes Versions:
- Versions prior to v1.11.0
- Versions v1.11.0 through v1.11.4
- Version v1.12.0
To address this vulnerability, it is imperative to upgrade the ingress-nginx controller to one of the following patched versions:
- v1.11.5
- v1.12.1
Vulnerability Mitigation Steps:
- Upgrade Ingress-NGINX Controller: Implement the latest patched versions (v1.11.5 or v1.12.1) to remediate the vulnerability.
- Disable the Validating Admission Controller: If immediate upgrading isn’t feasible, temporarily disable the Validating Admission Controller feature of ingress-nginx to mitigate risk.
- For Helm installations: Reinstall with the Helm value
controller.admissionWebhooks.enabled=false.
For manual installations:
- Delete the
ValidatingWebhookConfigurationnamedingress-nginx-admission. - Edit the
ingress-nginx-controllerDeployment or DaemonSet to remove the--validating-webhookargument from the controller container’s argument list.
Verification: To determine if your cluster utilizes ingress-nginx, execute:
kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginxGiven the severity of CVE-2025-1974, with a CVSS score of 9.8 (Critical), prompt action is essential to safeguard your Kubernetes clusters from potential exploitation.
Additional Details of CVE-2025-1974:
As of March 25, 2025, there is no evidence to suggest that CVE-2025-1974 has been actively exploited in the wild. However, a proof-of-concept (PoC) exploit has been made publicly available, indicating that the vulnerability is exploitable under certain conditions. Given the critical nature of this vulnerability and the availability of a PoC, it is imperative to take immediate action to secure your systems.
Key Take Aways
kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx- Critical security risk: It is strongly recommended to immediately update your ingress-nginx installation to version v1.11.5 or v1.12.1 to protect your Kubernetes environment.
- Immediate mitigation required: If immediate patching is not achievable within your environment, temporarily disable the “Validating Admission Controller” as an interim measure and execute an upgrade as soon as possible.
)
