Critical Security Vulnerabilities in Ingress NGINX Controller for Kubernetes

 


Introduction

A series of critical security vulnerabilities have been identified in the Ingress NGINX Controller for Kubernetes, posing a significant risk to over 6,500 clusters exposed to the public internet. These vulnerabilities, collectively termed IngressNightmare, could allow unauthenticated remote code execution (RCE), potentially leading to full cluster compromise.

Disclosed by cloud security firm Wiz, these vulnerabilities have been assigned the following CVE identifiers: CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-1974. Each carries a CVSS score of up to 9.8, indicating their severe impact. Notably, these flaws do not affect the NGINX Ingress Controller, which is a separate ingress controller implementation for NGINX and NGINX Plus.

Nature of the Vulnerabilities

The IngressNightmare vulnerabilities primarily affect the admission controller component of the Ingress NGINX Controller. This component is responsible for validating incoming requests and is accessible over the network without authentication, creating an attack vector that could be exploited remotely.

Ingress NGINX Controller functions as a reverse proxy and load balancer, facilitating HTTP and HTTPS route exposure from external sources to internal Kubernetes services. However, due to the improper security configurations, attackers can inject arbitrary NGINX configurations by sending malicious ingress objects (also known as AdmissionReview requests) directly to the admission controller. This exploit enables unauthorized access to Kubernetes secrets across namespaces, which could lead to cluster takeover.

According to Wiz, approximately 43% of cloud environments utilizing this component are vulnerable to these exploits, underscoring the widespread nature of the risk.

Breakdown of the Vulnerabilities

  1. CVE-2025-24513 (CVSS score: 4.8)

    • Improper input validation leading to directory traversal within the container. This flaw could cause denial-of-service (DoS) attacks or allow limited disclosure of secret objects when combined with other vulnerabilities.

  2. CVE-2025-24514 (CVSS score: 8.8)

    • The auth-url Ingress annotation can be used to inject arbitrary configurations into NGINX. This results in remote code execution (RCE) within the ingress-nginx controller and may expose sensitive secrets.

  3. CVE-2025-1097 (CVSS score: 8.8)

    • The auth-tls-match-cn Ingress annotation can also be exploited to inject arbitrary configurations into NGINX, leading to code execution and secret disclosure within the controller.

  4. CVE-2025-1098 (CVSS score: 8.8)

    • Attackers can exploit the mirror-target and mirror-host Ingress annotations to inject malicious configurations, leading to remote code execution and exposure of sensitive data.

  5. CVE-2025-1974 (CVSS score: 9.8)

    • The most severe of the vulnerabilities, this flaw enables an unauthenticated attacker with pod network access to achieve arbitrary code execution, significantly increasing the risk of a complete cluster takeover.

Exploit Demonstration

In a simulated attack scenario, a threat actor could leverage the client-body buffer feature of NGINX to upload a malicious shared library to the pod. Subsequently, the attacker could send an AdmissionReview request to the admission controller, injecting one of the configuration directive vulnerabilities. This sequence of actions would result in the execution of malicious code, ultimately leading to unauthorized access to Kubernetes secrets and potential full cluster control.

According to Hillai Ben-Sasson, a cloud security researcher at Wiz, this attack methodology allows adversaries to inject malicious configurations, enabling them to read sensitive files and execute arbitrary commands. By exploiting a privileged Service Account, an attacker could escalate their access further, compromising the Kubernetes cluster entirely.

Mitigation and Recommended Actions

Following responsible disclosure, the Ingress NGINX Controller team has released security patches addressing these vulnerabilities. The fixed versions include:

  • 1.12.1

  • 1.11.5

  • 1.10.7

Security Recommendations

Organizations using Ingress NGINX Controller are strongly advised to:

  • Update to the latest patched versions as soon as possible to mitigate the risks associated with these vulnerabilities.

  • Restrict external access to the admission webhook endpoint to prevent unauthorized requests.

  • Limit admission controller access exclusively to the Kubernetes API Server to minimize exposure.

  • Temporarily disable the admission controller if it is not an operational necessity.

Conclusion

The IngressNightmare vulnerabilities highlight the persistent risks associated with misconfigured Kubernetes components. Given the widespread use of Ingress NGINX Controller, timely patching and security hardening are crucial to preventing exploitation. Organizations must take immediate action to update their deployments, restrict external access to critical services, and reinforce security measures to safeguard their Kubernetes clusters against potential attacks.

By implementing the recommended mitigations, enterprises can significantly reduce the likelihood of cluster compromise and ensure the continued security of their cloud environments.

Post a Comment

0 Comments