A significant security flaw has been identified in the Ingress NGINX Controller for Kubernetes, potentially allowing unauthenticated remote code execution. This vulnerability endangers over 6,500 clusters by exposing them to the public internet.

Details of the IngressNightmare Vulnerabilities

The vulnerabilities, collectively known as IngressNightmare, have been assigned CVE identifiers CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-1974, each with a critical CVSS score of 9.8. It is crucial to note that these issues do not affect the NGINX Ingress Controller, a separate implementation for NGINX and NGINX Plus.

Impact and Exploitation

Exploiting these vulnerabilities allows attackers unauthorized access to all secrets stored across Kubernetes namespaces, potentially leading to a complete cluster takeover. Approximately 43% of cloud environments are susceptible to these flaws.

  • IngressNightmare Core Issue: The vulnerabilities target the admission controller component of the Ingress NGINX Controller.
  • Network Accessibility: Admission controllers are accessible over the network without authentication, enabling remote code execution.

Technical Breakdown of Vulnerabilities

The Ingress NGINX Controller functions as a reverse proxy and load balancer, facilitating the exposure of HTTP and HTTPS routes from outside a cluster to internal services. The vulnerability exploits the admission controller's network accessibility and elevated privileges.

Specific Vulnerabilities

  • CVE-2025-24514: auth-url Annotation Injection
  • CVE-2025-1097: auth-tls-match-cn Annotation Injection
  • CVE-2025-1098: mirror UID Injection
  • CVE-2025-1974: NGINX Configuration Code Execution

In an experimental attack scenario, a threat actor could upload a malicious payload via the client-body buffer feature of NGINX. This involves sending an AdmissionReview request to the admission controller, which contains configuration directive injections, leading to remote code execution.

Mitigation and Recommendations

Following responsible disclosure, the vulnerabilities have been patched in Ingress NGINX Controller versions 1.12.1, 1.11.5, and 1.10.7. Users are strongly advised to update to these versions immediately and ensure the admission webhook endpoint is not publicly accessible.

As a precaution, it is recommended to restrict access to the admission controller to only the Kubernetes API Server and disable the admission controller component if it is not essential.

The link has been copied!