Ingress NGINX Controller Multiple Critical Vulnerabilities (IngressNightmare)

Five critical security vulnerabilities impacting the Ingress NGINX Controller for Kubernetes were discovered. The vulnerabilities may allow an unauthorized attacker to execute arbitrary code within the Ingress NGINX Controller’s pod. The vulnerabilities are collectively called IngressNightmare.

The CVEs are:

  • CVE-2025-24513
  • CVE-2025-24514: auth-url Annotation Injection Vulnerability
  • CVE-2025-1097: auth-tls-match-cn Annotation Injection Vulnerability
  • CVE-2025-1098: mirror UID Injection Vulnerability
  • CVE-2025-1974: NGINX Configuration Code Execution Vulnerability

Research shows that approximately 43% of cloud environments are vulnerable to the flaw. Over 6,500 clusters, including those of Fortune 500 companies, are publicly exposing vulnerable admission controllers to the Internet, placing them at immediate risk.

Ingress NGINX Controller is among the most popular ingress controllers available for Kubernetes and a core Kubernetes project, with over 18,000 stars on GitHub. NGINX Ingress Controller is an Ingress Controller implementation for NGINX and NGINX Plus that can load balance Websocket, gRPC, TCP, and UDP applications. It supports standard Ingress features such as content-based routing and TLS/SSL termination.

The flaw lies in the admission controller component of the Ingress NGINX Controller. By default, this component is network-accessible without authentication. Attackers can exploit the flaw to send malicious ingress objects directly to the admission controller, injecting arbitrary NGINX configurations. Successful exploitation of the flaw may allow an attacker to access all stored data across all namespaces in a Kubernetes cluster, potentially leading to a complete cluster takeover.

Administrators can check for the presence of ingress-nginx in their clusters by running the following command:

kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx

Affected Versions

  • Ingress NGINX controller all versions before v1.11.0
  • Ingress NGINX controller versions v1.11.0 to 1.11.4
  • Ingress NGINX controller version v1.12.0

Mitigation

Users must upgrade to the following versions to patch the vulnerabilities:

  • Ingress NGINX controller version v1.11.5
  • Ingress NGINX controller version v1.12.1

Qualys Detection

Qualys customers can scan their devices with QIDs 382971, 5003332, 5003333, 5003334, 5003335, and 5003336 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://kubernetes.io/blog/2025/03/24/ingress-nginx-cve-2025-1974/
https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities

Leave a Reply

Your email address will not be published. Required fields are marked *