A set of vulnerabilities have been identified in Ingress-NGINX Controller for Kubernetes, posing a risk to organizations relying on the affected versions. These vulnerabilities impact versions prior to NGINX Controller 1.12.1 and 1.11.5, and could allow unauthorized remote code execution and potential full cluster takeover.
Technical users leveraging Kubernetes for containerized workloads should immediately patch their systems to the latest version to mitigate these risks.
Ingress-NGINX Controller Background: What Has Happened?
The Australian Cyber Security Centre has released an advisory detailing multiple vulnerabilities affecting Ingress-NGINX Controller. The flaws stem from improper handling of ingress annotations and attacker-provided data, leading to arbitrary code execution and secret disclosures.
Below are the key vulnerabilities identified:
1. CVE-2025-1097: Auth-TLS-Match-CN Ingress Annotation Vulnerability
A security issue exists where the auth-tls-match-cn Ingress annotation can be exploited to inject unauthorized configurations into NGINX.
- Impact: Enables arbitrary code execution in the context of the Ingress-NGINX controller.
- Risk: Unauthorized access to all Secrets across namespaces, compromising the cluster’s security.
2. CVE-2025-1098: Mirror-Target and Mirror-Host Annotations Vulnerability
The mirror-target and mirror-host Ingress annotations can be misused to insert arbitrary configurations into NGINX.
- Impact: Remote execution of malicious code within the Ingress-NGINX controller.
- Risk: Exposes sensitive cluster-wide Secrets, leading to potential system compromise.
3. CVE-2025-1974: Unauthenticated Access to Pod Network
Under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution.
- Impact: Compromised controller integrity.
- Risk: Attackers can extract Secrets from the cluster and potentially gain full control.
4. CVE-2025-24513: Directory Traversal via Ingress-NGINX Admission Controller
A vulnerability in the Ingress-NGINX Admission Controller allows attacker-provided data to be included in filenames, leading to directory traversal within the container.
- Impact: Can result in Denial of Service (DoS).
- Risk: In some cases, can expose Secret objects within the cluster.
5. CVE-2025-24514: Auth-URL Ingress Annotation Exploit
The auth-url Ingress annotation can be used to inject malicious configurations into NGINX.
- Impact: Allows attackers to remotely execute code within the controller.
- Risk: Grants unauthorized access to Secrets across namespaces.
Why This Matters
Ingress-NGINX Controller plays a critical role in routing external traffic to services within a Kubernetes cluster. Exploiting these vulnerabilities can lead to:
- Remote Code Execution (RCE): Attackers can execute arbitrary commands on the Ingress controller.
- Cluster-Wide Secrets Exposure: Sensitive credentials, API keys, and other secrets can be compromised.
- Complete Cluster Takeover: Unauthorized access could lead to a total compromise of Kubernetes infrastructure.
Mitigation: How to Stay Secure
To protect against these vulnerabilities, the Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC) recommends the following measures:
- Upgrade to the Latest Version
- Immediately update Ingress-NGINX Controller to version 1.12.1 or 1.11.5 to patch these security issues.
- Review Kubernetes Security Guidance
- Regularly monitor updates from the official Ingress-NGINX GitHub Repository to stay informed about security patches and advisories.
- Disable External Access to the Admission Webhook Endpoint
- Ensure the admission webhook endpoint is not publicly accessible to prevent external attackers from exploiting it.
- Addressing CVE-2025-1974
- Due to the severity of this vulnerability, validation of the generated NGINX configuration has been disabled during Ingress resource validation.
- While the system still performs checks before actual loading, invalid Ingress resources may prevent NGINX from updating its configuration.
- Recommended Actions:
- Enable annotation validation.
- Disable snippet annotations to minimize risks.
- Monitor Ingress-NGINX logs for errors, particularly lines preceded by Error.
The Ingress-NGINX vulnerabilities present a serious risk to Kubernetes clusters, with potential consequences including unauthorized remote execution, credential leaks, and cluster-wide compromise. Organizations using affected versions should immediately upgrade to secure their environments.
By staying informed and following best practices, technical teams can minimize the attack surface and prevent exploitation of these critical flaws.
