Advisory
Advisory
Advisory
Critical Security Vulnerability in Kubernetes Ingress Controller (IngressNightmare)
Critical Security Vulnerability in Kubernetes Ingress Controller (IngressNightmare)
IngressNightmare exposes multiple vulnerabilities (CVE-2025-1974, CVE-2025-1097, CVE-2025-1098, CVE-2025-24513, CVE-2025-24514) allowing attackers to execute arbitrary code in ingress-nginx controllers, leading to full Kubernetes cluster compromise.
IngressNightmare exposes multiple vulnerabilities (CVE-2025-1974, CVE-2025-1097, CVE-2025-1098, CVE-2025-24513, CVE-2025-24514) allowing attackers to execute arbitrary code in ingress-nginx controllers, leading to full Kubernetes cluster compromise.
IngressNightmare exposes multiple vulnerabilities (CVE-2025-1974, CVE-2025-1097, CVE-2025-1098, CVE-2025-24513, CVE-2025-24514) allowing attackers to execute arbitrary code in ingress-nginx controllers, leading to full Kubernetes cluster compromise.
3 Min
3 Min
3 Min
March 26, 2025
March 26, 2025
March 26, 2025
On March 24, 2025, security researchers at Wiz publicly disclosed a critical vulnerability set dubbed "IngressNightmare," affecting Kubernetes clusters running the popular ingress-nginx controller. This flaw enables attackers to inject malicious NGINX configurations and achieve unauthenticated remote code execution, potentially compromising the entire Kubernetes environment.
Understanding the Vulnerability
Ingress-nginx controllers manage traffic routing within Kubernetes clusters by converting Ingress resources into NGINX configurations. The vulnerability arises from insufficient input sanitization in the ingress-nginx Validating Admission Webhook, which processes incoming Ingress definitions without authentication.
Attackers exploit this by crafting malicious AdmissionReview requests, injecting arbitrary NGINX directives into the configuration validation process. This manipulation allows attackers to execute arbitrary code, gain access to sensitive secrets, and escalate privileges within the Kubernetes cluster.
Affected Versions
The following ingress-nginx versions are affected:
Versions prior to v1.12.1
Versions prior to v1.11.5
Versions prior to v1.10.7
Clusters deployed across major cloud services (AWS EKS, Google GKE, Azure AKS) running ingress-nginx controller manually installed may be vulnerable.
Mitigation Steps
Immediate action is recommended:
Upgrade ingress-nginx to version 1.12.1, 1.11.5, or 1.10.7, depending on the currently used branch.
Restrict access to the ingress-nginx admission controller, ensuring it is reachable only by Kubernetes API server.
Temporarily disable the validating webhook if immediate patching is not feasible (ensure re-enablement post-patching).
Organizations should also review their cluster permissions, implement robust RBAC controls, and monitor network traffic for unusual AdmissionReview activity.
Conclusion
IngressNightmare highlights critical vulnerabilities within Kubernetes ingress-nginx controllers. Organizations must promptly update affected deployments and enforce strict network isolation and monitoring to mitigate exploitation risks. Strong security hygiene and timely patching remain essential to protecting Kubernetes environments.
On March 24, 2025, security researchers at Wiz publicly disclosed a critical vulnerability set dubbed "IngressNightmare," affecting Kubernetes clusters running the popular ingress-nginx controller. This flaw enables attackers to inject malicious NGINX configurations and achieve unauthenticated remote code execution, potentially compromising the entire Kubernetes environment.
Understanding the Vulnerability
Ingress-nginx controllers manage traffic routing within Kubernetes clusters by converting Ingress resources into NGINX configurations. The vulnerability arises from insufficient input sanitization in the ingress-nginx Validating Admission Webhook, which processes incoming Ingress definitions without authentication.
Attackers exploit this by crafting malicious AdmissionReview requests, injecting arbitrary NGINX directives into the configuration validation process. This manipulation allows attackers to execute arbitrary code, gain access to sensitive secrets, and escalate privileges within the Kubernetes cluster.
Affected Versions
The following ingress-nginx versions are affected:
Versions prior to v1.12.1
Versions prior to v1.11.5
Versions prior to v1.10.7
Clusters deployed across major cloud services (AWS EKS, Google GKE, Azure AKS) running ingress-nginx controller manually installed may be vulnerable.
Mitigation Steps
Immediate action is recommended:
Upgrade ingress-nginx to version 1.12.1, 1.11.5, or 1.10.7, depending on the currently used branch.
Restrict access to the ingress-nginx admission controller, ensuring it is reachable only by Kubernetes API server.
Temporarily disable the validating webhook if immediate patching is not feasible (ensure re-enablement post-patching).
Organizations should also review their cluster permissions, implement robust RBAC controls, and monitor network traffic for unusual AdmissionReview activity.
Conclusion
IngressNightmare highlights critical vulnerabilities within Kubernetes ingress-nginx controllers. Organizations must promptly update affected deployments and enforce strict network isolation and monitoring to mitigate exploitation risks. Strong security hygiene and timely patching remain essential to protecting Kubernetes environments.
On March 24, 2025, security researchers at Wiz publicly disclosed a critical vulnerability set dubbed "IngressNightmare," affecting Kubernetes clusters running the popular ingress-nginx controller. This flaw enables attackers to inject malicious NGINX configurations and achieve unauthenticated remote code execution, potentially compromising the entire Kubernetes environment.
Understanding the Vulnerability
Ingress-nginx controllers manage traffic routing within Kubernetes clusters by converting Ingress resources into NGINX configurations. The vulnerability arises from insufficient input sanitization in the ingress-nginx Validating Admission Webhook, which processes incoming Ingress definitions without authentication.
Attackers exploit this by crafting malicious AdmissionReview requests, injecting arbitrary NGINX directives into the configuration validation process. This manipulation allows attackers to execute arbitrary code, gain access to sensitive secrets, and escalate privileges within the Kubernetes cluster.
Affected Versions
The following ingress-nginx versions are affected:
Versions prior to v1.12.1
Versions prior to v1.11.5
Versions prior to v1.10.7
Clusters deployed across major cloud services (AWS EKS, Google GKE, Azure AKS) running ingress-nginx controller manually installed may be vulnerable.
Mitigation Steps
Immediate action is recommended:
Upgrade ingress-nginx to version 1.12.1, 1.11.5, or 1.10.7, depending on the currently used branch.
Restrict access to the ingress-nginx admission controller, ensuring it is reachable only by Kubernetes API server.
Temporarily disable the validating webhook if immediate patching is not feasible (ensure re-enablement post-patching).
Organizations should also review their cluster permissions, implement robust RBAC controls, and monitor network traffic for unusual AdmissionReview activity.
Conclusion
IngressNightmare highlights critical vulnerabilities within Kubernetes ingress-nginx controllers. Organizations must promptly update affected deployments and enforce strict network isolation and monitoring to mitigate exploitation risks. Strong security hygiene and timely patching remain essential to protecting Kubernetes environments.
Outsmart risk, every time.
Resources
Examples
Community
Guides
Docs
Legal
Privacy
Terms
Security