CVE-2025-1974 (IngressNightmare) is a critical RCE flaw in ingress-nginx affecting 40%+ of clusters. Learn how to detect and patch it.
Today, when I woke up and checked my RSS feed, one headline stood out immediately, CVE-2025-1974. It’s a new high-severity vulnerability in , and it’s bad. Like bad.
ingress-nginxNaturally, I dropped everything and dug into the advisory.
The ingress-nginx maintainers just dropped patches for five security vulnerabilities. The most critical among them—CVE-2025-1974—has a CVSS score of 9.8. It allows configuration injection via the Validating Admission Controller, meaning any workload on the Pod network could potentially compromise your cluster.
Let that sink in: even if a user or service doesn’t have permission to create Ingress objects, it could still exploit this path—just by being on the same network.
For context, ingress-nginx is a widely used ingress controller in Kubernetes (deployed in 40%+ clusters). It translates Ingress resources into NGINX configurations to route external traffic to internal services. It's flexible, easy to deploy—and now, evidently, a big attack surface.
Ingress controllers usually require elevated privileges. But this particular flaw means that even low-privileged pods can interact with the Validating Admission Controller in unintended ways. Combine that with other config handling issues patched today, and you’re looking at a cluster-wide exposure scenario.
✅ Best-case fix: Upgrade to a patched version.
Patched versions available:
v1.12.1v1.11.5Upgrading ensures you're protected not just from CVE-2025-1974 but also from four other related vulnerabilities fixed in this release.
If you’re unable to upgrade but still need to take action immediately, the next best thing is to disable the Validating Admission Controller.
Remove the --validating-webhook container args and associated webhook configurations from your Deployment or DaemonSet.
Re-enable the Validating Admission Controller after you’ve upgraded to a patched version—it’s there for a reason: to prevent misconfigured Ingress resources from being applied.
If you're locked out of upgrading and cannot disable the webhook due to organizational or technical constraints, there’s still a fallback:
Use a DaemonSet to block external access to the webhook port (8443) using iptables, while allowing kube-apiserver traffic through.
Here’s how it works:
CVE-2025-1974 is a high-severity vulnerability (CVSS 9.8) in ingress-nginx that allows configuration injection via the Validating Admission Controller. It enables any pod on the cluster network to potentially compromise the entire Kubernetes environment, even without Ingress creation permissions.
Even low-privileged pods can exploit the Validating Admission Controller to inject malicious configuration. Since ingress-nginx runs with elevated privileges in many clusters, this creates a pathway for full-cluster compromise.
Upgrade immediately to a patched version of ingress-nginx:
You can disable the Validating Admission Controller temporarily by removing its container args and webhook configs. However, this also disables safeguards against invalid Ingress resources, so it should be re-enabled post-upgrade.
Yes. As a last resort, you can deploy a DaemonSet that configures iptables rules to block all external traffic to port 8443, used by the webhook, while allowing access only from the Kubernetes API server. This mitigates the vulnerability at the network layer, but use it with caution, as it has not been widely tested in production environments.
Get new posts, tools, and tips delivered straight to your inbox.
Follow along with walkthroughs and tutorials, especially on Rancher and DevOps topics.
A small act of support goes a long way. You're helping me stay consistent and keep the content flowing.
helm upgrade <release-name> ingress-nginx \
--reuse-values \
--set controller.admissionWebhooks.enabled=falseapiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: allow-get-kubernetes-endpoint
namespace: default
rules:
- apiGroups: [""]
resources: ["endpoints"]
resourceNames: ["kubernetes"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: allow-get-kubernetes-endpoint-binding
namespace: default
subjects:
- kind: ServiceAccount
name: default
namespace: kube-system
roleRef:
kind: Role
name: allow-get-kubernetes-endpoint
apiGroup: rbac.authorization.k8s.io
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: webhook-port-blocker
namespace: kube-system
labels:
app: webhook-port-blocker
spec:
selector:
matchLabels:
app: webhook-port-blocker
template:
metadata:
labels:
app: webhook-port-blocker
spec:
hostNetwork: true
serviceAccountName: default
volumes:
- name: shared
emptyDir: {}
- name: sa-token
projected:
sources:
- serviceAccountToken:
path: token
expirationSeconds: 3600
- configMap:
name: kube-root-ca.crt
- downwardAPI:
items:
- path: namespace
fieldRef:
fieldPath: metadata.namespace
initContainers:
- name: fetch-apiserver-ips
image: bitnami/kubectl:1.20
command:
- sh
- -c
- |
echo "[+] Fetching all Kubernetes API server IPs..."
kubectl get endpoints kubernetes -n default -o jsonpath='{.subsets[0].addresses[*].ip}' | tr ' ' '\n' > /shared/apiserver-ips
echo "[+] IPs written to /shared/apiserver-ips:"
cat /shared/apiserver-ips
volumeMounts:
- name: shared
mountPath: /shared
- name: sa-token
mountPath: /var/run/secrets/kubernetes.io/serviceaccount
readOnly: true
containers:
- name: iptables
image: alpine:3.19
securityContext:
privileged: true
command:
- sh
- -c
- |
apk add --no-cache iptables ipset >/dev/null
echo "[+] Waiting for /shared/apiserver-ips..."
while [ ! -s /shared/apiserver-ips ]; do sleep 1; done
echo "[+] Creating or flushing ipset 'apiserver-ips'..."
ipset create apiserver-ips hash:ip 2>/dev/null || ipset flush apiserver-ips
echo "[+] Adding allowed IPs to ipset..."
while read -r IP; do
ipset add apiserver-ips "$IP" 2>/dev/null || true
done < /shared/apiserver-ips
echo "[+] Inserting new iptables rule using ipset..."
iptables -I INPUT -p tcp --dport 8443 -m set ! --match-set apiserver-ips src -j DROP
echo "[+] Final iptables rules:"
iptables -L INPUT -n --line-numbers | grep 8443
tail -f /dev/null
volumeMounts:
- name: shared
mountPath: /shared
resources:
requests:
cpu: 25m
memory: 32Mi
limits:
cpu: 100m
memory: 64Mi
tolerations:
- operator: Exists
CVE-2025-1767 exposes root-level access on nodes via a deprecated volume plugin; Kubernetes 1.33 will disable it by default
Enhance Kubernetes pod scheduling with dynamic affinity using matchLabelKeys and mismatchLabelKeys for safer rollouts and tenant isolation.
Pods can now exclude tainted nodes during topology spread calculations, improving placement predictability.
FeaturedGitHub cut hosted runner prices but planned fees for self-hosted Actions, triggering backlash. The change was paused. Here’s what happened and what to expect.
FeaturedKubernetes 1.34 brings GA features, scheduler speedups, kubelet and networking updates, plus security and performance boosts for production clusters.
FeaturedStep-by-step guide to RKE2 autoscaler setup with Rancher. Learn cluster autoscaler Helm deployment, scaling benefits, limits & troubleshooting.
FeaturedKubernetes 1.34 brings GA features, scheduler speedups, kubelet and networking updates, plus security and performance boosts for production clusters.
Stop waiting for schedules to debug CronJobs. Learn how to trigger them immediately, validate specs, and streamline testing in Kubernetes.
Helm upgrade failed due to Kubernetes managedFields conflict. Learn why spec looked fine, yet patching caused errors, and how to fix it.