Introduction
On March 24, 2025, the Kubernetes Security Team disclosed several critical vulnerabilities in ingress-nginx, a popular Kubernetes ingress controller used by many organizations, including every cluster we manage for our customers. The most severe of these vulnerabilities could allow unauthorized attackers to gain complete control of Kubernetes clusters. This post explains the vulnerabilities, their potential impact, and the immediate actions we’ve taken to protect your infrastructure.
Understanding the vulnerabilities
Multiple security issues have been identified in ingress-nginx, but the most critical is CVE-2025-1974, rated 9.8 CVSS (the highest severity level for vulnerabilities).
This vulnerability allows attackers with access to the Pod network to exploit configuration injection vulnerabilities through the Validating Admission Controller feature of ingress-nginx. In normal circumstances, exploiting these vulnerabilities would require the ability to create an Ingress object in the cluster—a privileged operation typically limited to authorized administrators.
However, CVE-2025-1974 significantly lowers this barrier: any workload with access to the Pod network can potentially take over your entire Kubernetes cluster without requiring any credentials or administrative access. This is particularly concerning because in many common deployment architectures:
- The Pod network is accessible to all workloads in your cloud VPC
- It may be accessible to anyone connected to your corporate network
- In multi-tenant clusters, this could allow one tenant to compromise others
Our response
Upon learning of these vulnerabilities, our team immediately took the following actions: (Paris time)
- (~9:00 am) Patching: We created a hotfix of our code which included the patched version of ingress-nginx.
- (~10:00 am) Testing: We deployed the new version on our clusters to verify that everything was still working as expected.
- (~11:00 am) Emergency Patching: The new version was rolled out immediately according to our emergency change protocol:
- Non-production cluster: Update completed at 12:20 pm
- Production clusters: Update completed at 2:20 pm
- Verification: We confirmed the successful deployment of the patch across all environments.
The entire remediation process was completed on March 25, 2025, the day after the public disclosure.
Recommendations for Our Users
- Review any suspicious activity that may have occurred on your cluster in the past few days.
- If you’re managing your own Kubernetes clusters (self-managed version), deploy the latest version of our charts. If you are managing ingress-nginx by yourself, ensure you deploy version v1.12.1/v1.11.5 or later as soon as possible.
- For more information, we recommend reading the official Kubernetes blog post about these vulnerabilities.
Conclusion
We take security vulnerabilities very seriously and are committed to maintaining the security and reliability of our and your infrastructure. We will continue to monitor for any developments related to this issue and will provide updates if additional actions are required.
If you have any questions or concerns, please contact our team via slack or at [support@qovery.com].