You are currently viewing Ingress NGINX Remote Code Execution Vulnerabilities Discovered – Patch Now!

Ingress NGINX Remote Code Execution Vulnerabilities Discovered – Patch Now!

  • Post author:
  • Reading time:7 mins read

Critical security vulnerabilities have been discovered in the Ingress-NGINX Controller for Kubernetes. CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, and CVE-2025-1974—collectively known as ‘IngressNightmare’—allow attackers to gain unauthorized access to secrets across all namespaces. This results in unauthenticated remote code execution and ultimately leads to a complete takeover of the Kubernetes cluster.

Understanding the Ingress NGINX Controller

The Ingress-NGINX Controller (not to be confused with the NGINX Ingress Controller by NGINX) is a widely adopted open-source component that manages external access to services within Kubernetes clusters, utilizing NGINX as a reverse proxy and load balancer. It exposes HTTP and HTTPS routes from outside a cluster to services within a cluster and enables traffic mapping to different backends based on rules defined via the Kubernetes API.

Technical Details

  • CVE-2025-1097 : auth-tls-match-cn Annotation Injection
    This vulnerability arises from improper input validation in the CommonNameAnnotationValidator function in the authtls parser. The auth-tls-match-cn annotation requires the value to start with ‘CN=’ and the remaining character to form a valid regular expression. When both these requirements are bypassed by an attacker, they can inject arbitrary NGINX configurations.
  • CVE-2025-1098 : mirror UID Injection
    This vulnerability arises from unsanitized input being inserted into $location.Mirror.Source in the temporary NGINX configuration. The mirror annotation parser, which processes the UID from the ingress object, is the cause for this insertion—the ing. The UID field in the UID parameter is not a Kubernetes annotation, and hence, the input is not sanitized by the annotations’ regex rules. This allows the context to be escaped and arbitrary NGINX configuration directives to be injected.
  • CVE-2025-1974: NGINX Configuration Code Execution
    This vulnerability arises from executing the NGINX configuration code that has been compromised/injected using the other CVEs mentioned. The NGINX configuration is tested by nginx-t. A directive that executes arbitrary code in nginx-t will compromise the pod and allow attackers to attain its highly privileged Kubernetes role.
  • CVE-2025-24514: auth-url Annotation Injection
    This vulnerability arises from improper input sanitization of a URL field inserted into the temporary configuration. The author parser requires auth-url fields to be set, among which the URL field is fetched as $externalAuth.URL without proper sanitization, which allows attackers to inject arbitrary NGINX configuration directives that are run by nginx-t

Another Vulnerability in Ingress-NGINX

  • CVE-2025-24513: auth secret file Path Traversal Vulnerability
    This vulnerability arises due to the inclusion of attacker-provided data in a file name by the ingress-nginx Admission Controller feature. This results in directory traversal within the container, enabling the attacker to access auth secret files.

All the above vulnerabilities take advantage of the fact that admission controllers are accessible over the network without authentication. Attackers can thus send malicious ingress objects ( AdmissionReview requests) directly to the admission controller.

Affected Products

This issue affects Ingres-nginx. Clusters that don’t have an ingress-nginx installer are not affected by the above vulnerabilities. This can be verified by running the below command:

kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx

Affected ingress-nginx Versions:

  • Versions before 1.11.0
  • Version from 1.11.0 to 1.11.4
  • Version 1.12.0

Mitigation and Workarounds

Kubernetes has released ingress-nginx versions 1.11.5 and 1.12.1 to address the above vulnerabilities. We strongly recommend users upgrade to the fixed versions or later to mitigate the identified vulnerabilities.

We also strongly recommend disabling the Validating Admission Controller functionality of ingress-nginx to mitigate this vulnerability.

Instantly Fix Risks with SanerNow Patch Management

SanerNow patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. SanerNow patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.