Skip to main content

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
  1. Home
  2. Alerts & Advisories
  3. Alerts
  4. Critical Vulnerability in Kubernetes Ingress-nginx
Alerts

Critical Vulnerability in Kubernetes Ingress-nginx

3 April 2025

Security updates addressing a critical vulnerability in Kubernetes ingress-nginx have been released. Users and administrators are advised to update to the latest version immediately.

Security updates have been released to address a critical vulnerability (CVE-2025-1974) in Kubernetes ingress-nginx. The vulnerability has a Common Vulnerability Scoring System (CVSSv3.1) score of 9.8 out of 10.

Successful exploitation of the configuration injection vulnerability can allow an unauthenticated attacker with access to the pod network to execute arbitrary code in the context of the ingress-nginx controller. This vulnerability can be chained together with other vulnerabilities addressed in the latest security update (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514) to take over a Kubernetes cluster.

Affected product versions include:    

  • < v1.11.0

  • v1.11.0 - 1.11.4

  • v1.12.0

Users and administrators of affected product versions are advised to update to the latest versions immediately.

If the update cannot be performed immediately, users and administrators can significantly reduce risk by turning off the Validating Admission Controller feature of ingress-nginx.

More information is available here:

https://kubernetes.io/blog/2025/03/24/ingress-nginx-cve-2025-1974/

https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities

https://nvd.nist.gov/vuln/detail/CVE-2025-1974


Back to top