Multiple CVEs Found in Ingress-NGINX—Patch Now to Prevent Cluster Compromise

A set of vulnerabilities have been identified in Ingress-NGINX Controller for Kubernetes, posing a risk to organizations relying on the affected versions. These vulnerabilities impact versions prior to NGINX Controller 1.12.1 and 1.11.5, and could allow unauthorized remote code execution and potential full cluster takeover.

Technical users leveraging Kubernetes for containerized workloads should immediately patch their systems to the latest version to mitigate these risks.

Ingress-NGINX Controller Background: What Has Happened?

The Australian Cyber Security Centre has released an advisory detailing multiple vulnerabilities affecting Ingress-NGINX Controller. The flaws stem from improper handling of ingress annotations and attacker-provided data, leading to arbitrary code execution and secret disclosures.

Below are the key vulnerabilities identified:

1. CVE-2025-1097: Auth-TLS-Match-CN Ingress Annotation Vulnerability

A security issue exists where the auth-tls-match-cn Ingress annotation can be exploited to inject unauthorized configurations into NGINX.

Impact: Enables arbitrary code execution in the context of the Ingress-NGINX controller.
Risk: Unauthorized access to all Secrets across namespaces, compromising the cluster’s security.

2. CVE-2025-1098: Mirror-Target and Mirror-Host Annotations Vulnerability

The mirror-target and mirror-host Ingress annotations can be misused to insert arbitrary configurations into NGINX.

Impact: Remote execution of malicious code within the Ingress-NGINX controller.
Risk: Exposes sensitive cluster-wide Secrets, leading to potential system compromise.

3. CVE-2025-1974: Unauthenticated Access to Pod Network

Under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution.

Impact: Compromised controller integrity.
Risk: Attackers can extract Secrets from the cluster and potentially gain full control.

4. CVE-2025-24513: Directory Traversal via Ingress-NGINX Admission Controller

A vulnerability in the Ingress-NGINX Admission Controller allows attacker-provided data to be included in filenames, leading to directory traversal within the container.

Impact: Can result in Denial of Service (DoS).
Risk: In some cases, can expose Secret objects within the cluster.

5. CVE-2025-24514: Auth-URL Ingress Annotation Exploit

The auth-url Ingress annotation can be used to inject malicious configurations into NGINX.

Impact: Allows attackers to remotely execute code within the controller.
Risk: Grants unauthorized access to Secrets across namespaces.

Why This Matters

Ingress-NGINX Controller plays a critical role in routing external traffic to services within a Kubernetes cluster. Exploiting these vulnerabilities can lead to:

Remote Code Execution (RCE): Attackers can execute arbitrary commands on the Ingress controller.
Cluster-Wide Secrets Exposure: Sensitive credentials, API keys, and other secrets can be compromised.
Complete Cluster Takeover: Unauthorized access could lead to a total compromise of Kubernetes infrastructure.

Mitigation: How to Stay Secure

To protect against these vulnerabilities, the Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC) recommends the following measures:

Upgrade to the Latest Version
- Immediately update Ingress-NGINX Controller to version 1.12.1 or 1.11.5 to patch these security issues.
Review Kubernetes Security Guidance
- Regularly monitor updates from the official Ingress-NGINX GitHub Repository to stay informed about security patches and advisories.
Disable External Access to the Admission Webhook Endpoint
- Ensure the admission webhook endpoint is not publicly accessible to prevent external attackers from exploiting it.
Addressing CVE-2025-1974
- Due to the severity of this vulnerability, validation of the generated NGINX configuration has been disabled during Ingress resource validation.
- While the system still performs checks before actual loading, invalid Ingress resources may prevent NGINX from updating its configuration.
- Recommended Actions:
  - Enable annotation validation.
  - Disable snippet annotations to minimize risks.
  - Monitor Ingress-NGINX logs for errors, particularly lines preceded by Error.

The Ingress-NGINX vulnerabilities present a serious risk to Kubernetes clusters, with potential consequences including unauthorized remote execution, credential leaks, and cluster-wide compromise. Organizations using affected versions should immediately upgrade to secure their environments.

By staying informed and following best practices, technical teams can minimize the attack surface and prevent exploitation of these critical flaws.

Source: Read More

Sunshine And March Vibes (2025 Wallpapers Edition)

The Case For Minimal WordPress Setups: A Contrarian View On Theme Frameworks

How To Fix Largest Contentful Paint Issues With Subpart Analysis

How To Build Confidence In Your UX Work

“Touch Grass without touching grass” with these hilarious (and very real) skins for Xbox, Steam Deck, laptop, phone, and more

Microsoft Teams will fix meeting chats for presenters with this small change

ChatGPT’s stunning new image generator is now free for everyone

Everything coming to Call of Duty: Black Ops 6 multiplayer with Season 3

Community News: Latest PEAR Releases (03.10.2025)

Community News: Latest PEAR Releases (03.10.2025)

Community News: Latest PECL Releases (03.11.2025)

Image Dimension Validation with Laravel’s dimensions Rule

“Touch Grass without touching grass” with these hilarious (and very real) skins for Xbox, Steam Deck, laptop, phone, and more

“Touch Grass without touching grass” with these hilarious (and very real) skins for Xbox, Steam Deck, laptop, phone, and more

Microsoft Teams will fix meeting chats for presenters with this small change

Everything coming to Call of Duty: Black Ops 6 multiplayer with Season 3

Multiple CVEs Found in Ingress-NGINX—Patch Now to Prevent Cluster Compromise

Ingress-NGINX Controller Background: What Has Happened?

1. CVE-2025-1097: Auth-TLS-Match-CN Ingress Annotation Vulnerability

2. CVE-2025-1098: Mirror-Target and Mirror-Host Annotations Vulnerability

3. CVE-2025-1974: Unauthenticated Access to Pod Network

4. CVE-2025-24513: Directory Traversal via Ingress-NGINX Admission Controller

5. CVE-2025-24514: Auth-URL Ingress Annotation Exploit

Why This Matters

Mitigation: How to Stay Secure

ruby-align is Baseline Newly available

February 2025 Baseline monthly digest

Google Warns of Actively Exploited CVE-2024-43093 Vulnerability in Android System

The cyberthreat that drives businesses towards cyber risk insurance

Le notizie minori del mondo GNU/Linux e dintorni della settimana nr 8/2025

How to Find a Legitimate PHP Elephant Shop For You to Buy the PHP Mascott in Time For Christmas or the Birthday of Someone You Love

What is CSS Nesting Explained

Understanding Causal AI: Bridging the Gap Between Correlation and Causation

Researchers Uncover PyPI Packages Stealing Keystrokes and Hijacking Social Accounts

Ultimate XNET Guide – Optimize Your Installation

Multiple CVEs Found in Ingress-NGINX—Patch Now to Prevent Cluster Compromise

Ingress-NGINX Controller Background: What Has Happened?

1. CVE-2025-1097: Auth-TLS-Match-CN Ingress Annotation Vulnerability

2. CVE-2025-1098: Mirror-Target and Mirror-Host Annotations Vulnerability

3. CVE-2025-1974: Unauthenticated Access to Pod Network

4. CVE-2025-24513: Directory Traversal via Ingress-NGINX Admission Controller

5. CVE-2025-24514: Auth-URL Ingress Annotation Exploit

Why This Matters

Mitigation: How to Stay Secure

Related Posts