Critical Vulnerability in NGINX Ingress — CVE-2025–1974

NGINX Ingress Controller is a widely used Kubernetes component that manages external access to services within a cluster. It acts as a reverse proxy and load balancer, making it an essential part of many production environments.

A remote code execution (RCE) vulnerability has been discovered in the ingress-nginx admission controller, which could allow attackers to execute arbitrary commands on affected clusters.

Recently, a user opened an issue in the Kubernetes oficial repository reporting the vulnerability:

CVE-2025-1974: ingress-nginx admission controller RCE escalation · Issue #131009 ·…

CVE-2025–1974
Affected Versions:

• < v1.11.0
• v1.11.0 - v1.11.4
• v1.12.0

How to Check if You’re Affected

Run this command to check if ingress-nginx is installed:

kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx

Verify the ingress controller image version:

kubectl get daemonset -n ingress-nginx -o jsonpath="{.spec.template.spec.containers[0].image}"

If you are running a vulnerable version, you need to upgrade immediately.

How to Mitigate

Upgrade to a patched version: v1.11.5, v1.12.1, or later

Without Helm: Update the image version in your controller Deployment

With Helm: Run the following command to upgrade:

helm upgrade --reuse-values ingress-nginx ingress-nginx/ingress-nginx

If you are using EKS on AWS, you need to upgrade the entire cluster to v1.26 in order to access v1.11.5.

This is the Pull Request with the fixed version:

Controller: Several security fixes. by Gacko · Pull Request #13068 · kubernetes/ingress-nginx

Want more insights on DevOps, security, and automation? Don’t miss out — Follow me!

Connect with me on Linkedin!