Cloud Security
,
Security Operations
Immediate Patching Urged to Address Flaws in Widely Used Ingress Nginx Controller
Critical vulnerabilities in the popular Kubernetes container management system need immediate patching to prevent attackers from taking control of cloud-based applications, management interfaces and more, researchers warn.
See Also: Enhance Cloud Security with AI-Driven Technologies
The open source Kubernetes project on Monday released Ingress Nginx Controller versions 1.12.1, 1.11.5 and 1.10.7. The controller, maintained by the core project team, is widely used to provide external access to Kubernetes applications.
Kubernetes is a popular open-source platform for managing containerized workloads and services. The system automates everything from software deployment to scaling and management.
Attackers who exploit these vulnerabilities can gain “unauthorized access to all secrets stored across all namespaces in the Kubernetes cluster by attackers, which can result in cluster takeover,” said researchers – who discovered the flaws – from cloud security firm Wiz.
About 43% of all 6,500 internet-facing Kubernetes clusters run the vulnerable ingress controllers and publicly expose them, which leaves those organizations “at immediate, critical risk,” until they patch the software, they said.
The updates fix four critical remote code execution vulnerabilities in the controller software that can be chained to remotely execute code in vulnerable Kubernetes environments. The attack vector has a CVSS base score of 9.8 out of 10 – due to the risk of remote exploitation.
All Kubernetes cluster administrators who use the vulnerable technology should immediately update to the latest versions as well as “ensure the admission webhook endpoint is not exposed externally,” referring to an endpoint that validates ingress configurations, Wiz said.
For any organization that cannot immediately update, researchers recommend mitigating the risk of compromise by enforcing “strict network policies so only the Kubernetes API server can access the admission controller,” as well as to “temporarily disable the admission controller component of Ingress-Nginx if it’s not needed.”
Wiz researchers reported two of the vulnerabilities to the Kubernetes project on Dec. 31, 2024, followed by the other two flaws in January, and said they all worked closely together to resolve them. On March 10, Kubernetes sent embargoed notifications to numerous organizations about the flaws – assigned CVE-2025-1097, CVE-2025-1098, CVE-2025-24514 and CVE-2025-1974.
In a coordinated disclosure report issued Monday, the Wiz researchers detailed the flaws, which they’ve dubbed “IngressNightmare,” and how they can be exploited.
The vulnerabilities exist in the admission controller component of Ingress Nginx Controller for Kubernetes, which is based on the popular Nginx – pronounced “engine x” – HTTP web server, reverse proxy and load-balancing software.
Kubernetes is based on a cluster architecture. A cluster is composed of a control plane as well as worker machines, called nodes, with each node running one or more containerized applications. Connecting data flows to the cluster from outside – through HTTP and HTTPS – is handled by what’s known as an Ingress, using rules defined via the Kubernetes API. “For an Ingress to work in your cluster, there must be an ingress controller running,” Kubernetes said.
More than 40% of Kubernetes-using organizations run the Ingress Nginx Controller. “To bridge between Kubernetes and Nginx configurations, which is a non-Kubernetes-native technology, the controller attempts to translate Kubernetes Ingress objects into Nginx configurations,” Wiz researchers said. “To ensure the stability of the Nginx server, the controller employs a validating admission webhook that validates the final configuration before applying it.”
An underlying security challenge is that “the admission controller is an unauthenticated HTTP endpoint” that “by default runs with a Kubernetes role that allows access to all of the environment’s secrets.” This is why the Wiz researchers began probing it in the first place, suspecting that it might provide a “large attack surface” and be vulnerable to malicious code injection. Subsequently, they did find ways to remotely execute code via flaws in the ingress controller, leading to the four CVEs.
“In our view, this attack surface should be restricted in a much better way: removing access from pods within the cluster and never exposing this publicly,” the researchers said. “We were also surprised by the lack of least-privilege design, as the exploit ended up with privileges to take control of the cluster.”
Researchers said other Kubernetes ingress controllers may have similar flaws, given the extent to which “such a large code base is used behind the scenes.”
The Kubernetes project supports and maintains the Ingress Nginx Controller, as it does with ingress controllers for Amazon Web Services and Google Cloud’s internal Application Load Balancer. Thirty different external project teams offer ingress controllers for a range of other environments, including for Azure, Citrix and F5.