CVE-2025-1974 – CVE-2025-1974 is a critical vulnerability in Ku... (How to Fix)

Q: What is the severity of CVE-2025-1974?

CVE-2025-1974 has a CVSS score of 9.8 (CRITICAL). CVE-2025-1974 is a critical vulnerability in Kubernetes' ingress-nginx controller that allows unauthenticated attackers on the pod network to execute arbitrary code with the controller's privileges. This can lead to full cluster compromise by accessing all cluster-wide Secrets in default configurations. All Kubernetes deployments using vulnerable ingress-nginx versions are affected.

📋 TL;DR

CVE-2025-1974 is a critical vulnerability in Kubernetes' ingress-nginx controller that allows unauthenticated attackers on the pod network to execute arbitrary code with the controller's privileges. This can lead to full cluster compromise by accessing all cluster-wide Secrets in default configurations. All Kubernetes deployments using vulnerable ingress-nginx versions are affected.

💻 Affected Systems

Products:

Kubernetes ingress-nginx controller

Versions: Specific versions not detailed in provided references; check vendor advisories for exact ranges

Operating Systems: All platforms running Kubernetes

Default Config Vulnerable: ⚠️ Yes

Notes: Default Kubernetes installations where ingress-nginx controller has cluster-wide Secret access are most vulnerable. The vulnerability requires attacker access to the pod network.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete cluster takeover: attacker gains control of ingress-nginx controller, accesses all Secrets, deploys malicious pods, and potentially pivots to other infrastructure.

🟠

Likely Case

Attacker compromises the ingress-nginx controller, steals sensitive Secrets (database credentials, API keys, certificates), and establishes persistence in the cluster.

🟢

If Mitigated

With network policies restricting pod-to-pod communication and least-privilege RBAC, impact limited to the controller's namespace and accessible resources.

🌐 Internet-Facing: HIGH - Ingress controllers are typically internet-facing, making them prime targets for exploitation attempts.

🏢 Internal Only: HIGH - Even internal attackers or compromised pods can exploit this vulnerability to escalate privileges cluster-wide.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit code is publicly available on Exploit-DB (ID 52475) and GitHub. Attack requires network access to the pod where ingress-nginx runs.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Kubernetes security advisories for specific patched versions

Vendor Advisory: https://github.com/kubernetes/kubernetes/issues/131009

Restart Required: Yes

Instructions:

1. Update ingress-nginx controller to patched version. 2. Update Kubernetes cluster if required. 3. Restart ingress-nginx controller pods. 4. Verify controller is running patched version.

🔧 Temporary Workarounds

Apply Network Policies

all

Restrict pod-to-pod communication to prevent unauthorized access to ingress-nginx controller pods

kubectl apply -f network-policy.yaml

Restrict RBAC Permissions

all

Limit ingress-nginx controller's Secret access to only required namespaces instead of cluster-wide

kubectl edit clusterrole ingress-nginx

🧯 If You Can't Patch

Implement strict network segmentation and pod security policies to isolate ingress-nginx controller
Monitor ingress-nginx controller logs and network traffic for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check ingress-nginx controller version and verify if it's in affected range. Review network policies for pod isolation.

Check Version:

kubectl describe pod -n ingress-nginx | grep Image

Verify Fix Applied:

Confirm ingress-nginx controller is updated to patched version and test that unauthorized pod network access is blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual ingress-nginx controller pod restarts
Suspicious commands executed in controller pods
Unexpected Secret access patterns

Network Indicators:

Unusual network connections to ingress-nginx controller pods from unauthorized sources
Suspicious outbound traffic from controller pods

SIEM Query:

source="kubernetes" AND ("ingress-nginx" OR "nginx-ingress") AND ("exec" OR "shell" OR "unauthorized access")

📊 Metadata

CVE ID: CVE-2025-1974

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-653

Published: March 25, 2025

Last Updated: February 5, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-1974, you might also want to check these: