Multiple vulnerabilities have been detected in Ingress-NGINX Controller for Kubernetes, posing a significant risk to organizations utilizing the impacted versions. These vulnerabilities, affecting versions prior to NGINX Controller 1.12.1 and 1.11.5, have the potential to allow unauthorized remote code execution and even full cluster takeover.
The Australian Cyber Security Centre has issued an advisory outlining the various vulnerabilities found in the Ingress-NGINX Controller. These vulnerabilities arise from mishandling of ingress annotations and attacker-supplied data, leading to the execution of arbitrary code and disclosure of secrets.
The first vulnerability identified, CVE-2025-1097, exposes an issue with the auth-tls-match-cn Ingress annotation, enabling the injection of unauthorized configurations into NGINX. This vulnerability allows for arbitrary code execution within the Ingress-NGINX controller, posing a risk of unauthorized access to Secrets across namespaces and compromising the security of the cluster.
The second vulnerability, CVE-2025-1098, pertains to the mirror-target and mirror-host Ingress annotations that can be exploited to insert arbitrary configurations into NGINX. This vulnerability enables remote execution of malicious code within the Ingress-NGINX controller, potentially exposing sensitive cluster-wide Secrets and leading to system compromise.
The third vulnerability identified, CVE-2025-1974, highlights the risk of unauthenticated access to the pod network, which under certain conditions can result in arbitrary code execution. This vulnerability jeopardizes the integrity of the controller, allowing attackers to extract Secrets from the cluster and potentially gain full control.
Another vulnerability, CVE-2025-24513, involves a directory traversal flaw in the Ingress-NGINX Admission Controller, enabling attacker-provided data to be included in filenames and leading to directory traversal within the container.
Lastly, CVE-2025-24514 exposes an exploit in the auth-url Ingress annotation that can inject malicious configurations into NGINX, allowing attackers to remotely execute code within the controller and gain unauthorized access to Secrets across namespaces.
Given the critical role Ingress-NGINX Controller plays in routing external traffic to services within a Kubernetes cluster, exploiting these vulnerabilities can result in severe consequences such as remote code execution, exposure of cluster-wide Secrets, and complete takeover of the Kubernetes infrastructure.
To mitigate these vulnerabilities, organizations are advised to promptly upgrade to the latest version of Ingress-NGINX Controller, implement Kubernetes security guidance, disable external access to the admission webhook endpoint, and address specific actions for CVE-2025-1974 to enhance security measures.
Overall, the presence of these vulnerabilities in Ingress-NGINX Controller underscores the importance of proactive security measures to safeguard Kubernetes clusters against unauthorized access and potential compromise. By adhering to best practices and staying vigilant against emerging threats, organizations can fortify their environments and prevent exploitation of critical security flaws.