CVE-2025-1974

Ingress-nginx versions prior to 1.12.1, from 1.12.0-beta.0 before 1.12.1

Ingress-nginx is vulnerable to a critical remote code execution (RCE) vulnerability (CVE-2025-1974) with a CVSS score of 9.8. This flaw allows unauthenticated attackers with access to the pod network to execute arbitrary code within the ingress-nginx controller. Successful exploitation could lead to full cluster takeover and exposure of sensitive secrets. The vulnerability stems from improper isolation or compartmentalization within the controller. A proof-of-concept (PoC) exploit is publicly available. This vulnerability is actively being exploited. The Admission Controller, listening on port 8443, is a key component affected by this issue.

Upgrade Ingress-nginx to version 1.12.1 or later. Restrict network access to the Admission Controller, specifically port 8443. Implement network segmentation, strong authentication, and authorization policies for services on port 8443. Regularly audit and patch vulnerabilities. Remove any server-snippet annotations from your ingress configurations.