Multiple Vulnerabilities Impacting ingress-nginx Controller for Kubernetes

Fortra is actively researching multiple vulnerabilities impacting the ingress-nginx controller for Kubernetes:

CVE-2025-1097: The ‘auth-tls-match-cn’ ingress annotations can be used to inject arbitrary configuration into nginx, allowing code execution in the context of the ingress-nginx controller. This can result in disclosing secrets accessible to the controller, including all secrets cluster-wide in a default installation.

CVE-2025-1098: The ‘mirror-target’ and ‘mirror-host’ ingress annotations can be used to inject arbitrary configuration into nginx, allowing code execution in the context of the ingress-nginx controller. This can result in the disclosure of secrets accessible to the controller, which in a default includes all secrets cluster-wide in a default installation, includes all secrets cluster-wide.

CVE-2025-1974: This can result in the disclosure of secrets accessible to the controller, which, in a default installation, includes all secrets cluster-wide.

CVE-2025-24513: An issue with attacker-controlled data in filenames that the ingress-nginx Admission Controller handles could result in directory traversal within a container.

CVE-2025-24514: The ‘auth-url’ ingress annotations can be used to inject arbitrary configuration into nginx, allowing code execution in the context of the ingress-nginx controller. This can result in the disclosure of secrets accessible to the controller, which includes all secrets cluster-wide in a default installation.

Who is affected?

Organizations running Kubernetes with ingress-nginx are impacted when running the following versions of NGINX Controller:

• NGINX Controller before v1.11.0
• NGINX Controller v1.11.0 to v1.11.4
• NGINX Controller v1.12.0

You can identify if ingress-nginx is in use with the following command:

kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx

What can I do?

The vendor has released updates:

• NGINX Controller version 1.12.1
• NGINX Controller version 1.11.5

If you cannot apply the patch immediately, there are mitigations for some of these vulnerabilities. For:

• CVE-2025-1974 and CVE-2025-24513: Disable the Validating Admission Controller functionality of ingress-nginx.
• CVE-2025-24514: Set the enable-annotation-validation CLI argument to true.

For additional information about these vulnerabilities, planned patches, and vendor recommendations, refer to the Security Bulletin and Vendor pages.

How is Fortra helping me?

Fortra is actively researching this threat to build detection capabilities. As vulnerabilities are addressed, products will be listed in this section.

• Alert Logic Network IDS: Alert Logic deployed generic log detection telemetry on March 25, 2025, to catch potential post-compromise Kubernetes secrets dumping.
• Alert Logic Network IDS: Alert Logic deployed a signature on March 27, 2025, to detect the IngressNightMare CVE-2025-1974 attack.
• FusionVM: Alert Logic released authenticated network scan detection for NGINX Controller on March 31st, 2025.
• Tripwire IP360: Tripwire released scan coverage on April 2, 2025, to identify vulnerable instances for IP360. The following table identifies matching vulnerabilities.

• FusionVM: Alert Logic released a network check for NGINX Controller on April 9th, 2025.

Updates

Fortra has kicked off the Emerging Threats process for this vulnerability. We will update this article with new information about this vulnerability and related security coverage as it becomes available.

3/25/2025: Alert Logic deployed generic log detection telemetry for NGINX Controller.

3/27/2025: Alert Logic deployed an IDS signature to detect exploit attempts. 

3/31/2025: Alert Logic released authenticated network scan detection for NGINX Controller.

4/2/2025: Tripwire released scan coverage to identify vulnerable instances for IP360.

4/9/2025: Alert Logic released a network check for NGINX Controller.