Member-only story
Critical Vulnerabilities in Ingress-Nginx Controller for Kubernetes
Overview
Recent security research has uncovered multiple critical vulnerabilities in the widely used Ingress-Nginx controller for Kubernetes. These flaws, present in versions up to and including 1.12.0 and 1.11.4, allow unauthenticated remote code execution (RCE). Given that Ingress-Nginx is a key component for handling traffic within Kubernetes clusters, this issue poses a significant risk to cloud-native environments.
The Risk at Hand
Attackers can exploit these vulnerabilities through the default webhook service exposed by Ingress-Nginx. This webhook, typically available on TCP port 8443, is accessible to pods within the cluster. A malicious actor with network access can craft HTTP requests to trigger remote code execution, potentially gaining control over affected Kubernetes environments.
The identified CVEs associated with this issue include:
- CVE-2025–1097
- CVE-2025–1098
- CVE-2025–24513
- CVE-2025–24514
- CVE-2025–1974 (the most severe, with a CVSS score of 9.8)
Further details and vendor advisories can be found here:
