#VU105987 Input validation error in Ingress-NGINX Controller for Kubernetes - CVE-2025-1974

Cybersecurity Help s.r.o.

Published: 2025-03-24 | Updated: 2025-03-25

Vulnerability identifier: #VU105987

Vulnerability risk: Critical

CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Red]

CVE-ID: CVE-2025-1974

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Ingress-NGINX Controller for Kubernetes
Server applications / Other server solutions

Vendor: Kubernetes

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to an unspecified vulnerability in admission controller. A remote non-authenticated attacker with access to the pod network and execute arbitrary code in the context of the ingress-nginx controller

Mitigation
Install update from vendor's website.

Vulnerable software versions

Ingress-NGINX Controller for Kubernetes: 1.0.0 - 1.12.0

External links
https://github.com/kubernetes/kubernetes/issues/131009
https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.12.1
https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.11.5
https://github.com/advisories/GHSA-mgvx-rpfc-9mpv

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Ingress-NGINX Controller for Kubernetes