Ingress-nginx vulnerabilities have prompted an urgent security update for Kubernetes users. On March 24, 2025, critical patches were released for the ingress-nginx controller, specifically versions v1.12.1 and v1.11.5. This update is crucial for the over 40% of Kubernetes administrators utilizing this widely adopted ingress controller.
Ingress-nginx is responsible for managing network traffic for Kubernetes workloads by converting Ingress object definitions into configurations for NGINX, a popular web server. The recent vulnerabilities could allow malicious actors to exploit these configurations, which may lead to unauthorized access to sensitive data, including <Kubernetes Secrets.
Critical Vulnerability Details
The most critical flaw identified, CVE-2025-1974, carries a severity rating of 9.8 on the CVSS scale. Key points include:
- Attackers on the Pod network can manipulate configuration injections.
- No administrative privileges are required for exploitation.
- The risk is especially high for workloads accessing the Pod network within cloud VPCs or corporate networks.
Recommended Actions
Administrators are advised to check for ingress-nginx deployments in their clusters. Recommended actions include:
- Upgrade to the patched versions v1.12.1 or v1.11.5 immediately.
- If upgrades cannot be completed quickly, temporarily disable the Validating Admission Controller feature to mitigate risk.
This announcement highlights the importance of addressing security vulnerabilities in Kubernetes environments swiftly to safeguard users and their data. For more detailed information, visit the source here.
