Ingress-Nginx "IngressNightmare" RCE (CVE-2025-1974)
Description
Ingress-Nginx versions prior to the patched releases contain a critical remote code execution vulnerability (CVE-2025-1974), dubbed "IngressNightmare." The vulnerability stems from insufficient validation of Ingress annotation values, allowing attackers to inject malicious NGINX configuration directives. Successful exploitation enables arbitrary command execution within the Ingress-Nginx controller pod and unauthorized access to all Kubernetes secrets within the controller's service account scope.
Remediation
Take the following steps immediately to remediate this vulnerability:
1. Upgrade Ingress-Nginx Controller
Update to a patched version as soon as possible. Refer to the official Kubernetes security advisory and Ingress-Nginx release notes for the specific version that addresses CVE-2025-1974.
2. Enable Admission Controller Validation
Ensure the Ingress-Nginx admission controller is enabled and properly configured to validate annotations before they are applied.
3. Review Existing Ingress Resources
Audit all existing Ingress objects for suspicious or unusual annotations that may indicate prior exploitation:
kubectl get ingress --all-namespaces -o yaml | grep -A 5 'annotations:'
4. Implement RBAC Restrictions
Limit who can create or modify Ingress resources using Kubernetes Role-Based Access Control (RBAC):
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: ingress-restricted rules: - apiGroups: ["networking.k8s.io"] resources: ["ingresses"] verbs: ["get", "list"] # Remove "create", "update", "patch"
5. Monitor for Indicators of Compromise
Review controller logs for unusual configuration changes or unexpected process execution within the Ingress-Nginx pods.