- Home
- Alerts & Advisories
- Alerts
- Critical Vulnerability in Kubernetes Ingress-nginx
Critical Vulnerability in Kubernetes Ingress-nginx
3 April 2025
Security updates addressing a critical vulnerability in Kubernetes ingress-nginx have been released. Users and administrators are advised to update to the latest version immediately.
Security updates have been released to address a critical vulnerability (CVE-2025-1974) in Kubernetes ingress-nginx. The vulnerability has a Common Vulnerability Scoring System (CVSSv3.1) score of 9.8 out of 10.
Successful exploitation of the configuration injection vulnerability can allow an unauthenticated attacker with access to the pod network to execute arbitrary code in the context of the ingress-nginx controller. This vulnerability can be chained together with other vulnerabilities addressed in the latest security update (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514) to take over a Kubernetes cluster.
Affected product versions include:
< v1.11.0
v1.11.0 - 1.11.4
v1.12.0
Users and administrators of affected product versions are advised to update to the latest versions immediately.
If the update cannot be performed immediately, users and administrators can significantly reduce risk by turning off the Validating Admission Controller feature of ingress-nginx.
More information is available here:
https://kubernetes.io/blog/2025/03/24/ingress-nginx-cve-2025-1974/
https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities
https://nvd.nist.gov/vuln/detail/CVE-2025-1974