Description

Ingress-Nginx is vulnerable to a remote code execution vulnerability known as IngressNightmare. This vulnerability allows remote attackers to inject arbitrary NGINX configuration. Improper validation of annotations enables configuration injection that can lead to execution of arbitrary commands in the controller's context and unauthorized access to all secrets accessible to the Ingress-Nginx controller.

Remediation

Upgrade to the latest version of Ingress-Nginx

References

Wiz Blog - Ingress-NGINX Kubernetes Vulnerabilities

CVE-2025-1974: ingress-nginx admission controller RCE escalation

Related Vulnerabilities

WordPress CVE-2019-17673 Vulnerability (CVE-2019-17673)

osCommerce Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2023-43725)

MySQL CVE-2024-21203 Vulnerability (CVE-2024-21203)

Wordpress Plugin Backup Migration CVE-2023-6271 Vulnerability (CVE-2023-6271)

Moodle Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2021-36399)

Severity

Critical

Classification

CVE-2025-1974 CWE-653 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Tags

Known Vulnerabilities Code Execution