Karl.Fail

Tag: cwe-653

  • Critical RCE Vulnerability in Kubernetes ingress-nginx (CVE-2025-1974)

    Overview

    A critical security vulnerability has been identified in the Kubernetes ingress-nginx controller, tracked as CVE-2025-1974. This vulnerability allows unauthenticated attackers with access to the pod network to achieve Remote Code Execution (RCE) within the context of the ingress-nginx controller, potentially leading to the disclosure of Kubernetes Secrets across the cluster.

    Technical Details

    The vulnerability stems from the Validating Admission Controller module in the ingress-nginx project. Under certain misconfigured conditions, it is possible for an attacker to inject and execute arbitrary code through this admission controller if they can reach the controller from within the pod network.

    The affected versions include:

    • All versions up to 1.11.4
    • 1.12.0

    This issue was caused by improper isolation or compartmentalization, which corresponds to CWE-653. The underlying attack pattern matches CAPEC-251: Local Code Inclusion.

    CVSS and Severity

    According to the Common Vulnerability Scoring System (CVSS) v3.1, this vulnerability has been assigned a base score of 9.8, indicating a Critical severity level. The vector string is as follows:

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    This means that the attack is:

    • Remotely exploitable over the network
    • Requires no user interaction
    • Requires no privileges
    • Results in high impact to confidentiality, integrity, and availability

    Impact and Risks

    If exploited, attackers may gain the ability to run arbitrary commands in the controller’s context. Since ingress-nginx controllers commonly have access to all cluster Secrets by default, this could lead to severe data leakage, credential theft, and cluster-wide compromise.

    Security researchers Nir Ohfeld, Ronen Shustin, Sagi Tzadik, and Hillai Ben Sasson were credited with discovering this issue. It was also assessed under the CISA SSVC framework as having:

    • Proof of Concept (PoC) exploitation
    • Automatable potential
    • Total technical impact

    Mitigation and Workaround

    Before applying the official patch, system administrators can mitigate this vulnerability by disabling the Validating Admission Controller in ingress-nginx. However, this may affect some admission control policies, so review your cluster’s configuration accordingly.

    To disable the controller, modify the deployment to remove or comment out the relevant webhook configurations. More details are available on the Kubernetes GitHub issue: GitHub Issue 131009.

    Conclusion

    CVE-2025-1974 highlights the importance of strict isolation and privilege boundaries within Kubernetes controllers. Administrators using ingress-nginx should update to a patched version as soon as it becomes available, and review network access controls within their clusters.