2025-03-27 NGINX controller critical vulnerabilities: Kubernetes cluster can be compromised (CVE-2025-1974)
To ensure the security of your data and systems, we at Smartmakers prioritize security above all else. We understand that recent reports of critical vulnerabilities affecting the Ingress NGINX Controller for Kubernetes may cause concern. This report is intended to provide a clear explanation of the situation and detail our strategy for maintaining the security of our systems and your data.
What happened?
On March 24, 2025, the open-source ingress-nginx project disclosed multiple vulnerabilities, including CVE-2025-1974, a critical vulnerability with a severity score of 9.8.
How was this addressed?
Smartmakers Cloud's production Kubernetes infrastructure is secured within a private network, completely isolated from the public internet. This means the recently discovered Ingress NGINX Controller vulnerabilities do not pose a threat to the Thingshub systems.
As a further security measure, the nginx-ingress controllers have been updated to the patched release 1.11.5. This update ensures that the Smartmakers Cloud remains secure and unaffected by the aforementioned CVEs.
Understanding the Vulnerabilities
CVE-2025-1974 (9.8 Critical): Remote Code Execution (RCE) Escalation: This vulnerability allows an unauthenticated attacker with pod network access to execute arbitrary code within the ingress-nginx controller. Successful exploitation of this vulnerability could lead to the disclosure of all Kubernetes Secrets accessible to the controller. In a default installation, the controller has access to all Secrets cluster-wide, potentially resulting in a complete compromise of the cluster.
CVE-2025-24514 (8.8 High): Configuration Injection via auth-url Annotation: The
auth-url
Ingress annotation in ingress-nginx can be exploited to inject arbitrary Nginx configurations. This could enable an attacker to execute code within the ingress-nginx controller's context, potentially exposing all Secrets that the controller can access.CVE-2025-1097 (8.8 High): Configuration Injection via auth-tls-match-cn Annotation: Similar to CVE-2025-24514, this vulnerability involves the
auth-tls-match-cn
Ingress annotation. An attacker exploiting this can inject malicious Nginx configurations, leading to arbitrary code execution and the disclosure of Secrets accessible to the ingress-nginx controller.CVE-2025-1098 (8.8 High): Configuration Injection via mirror Annotations: The
mirror-target
andmirror-host
Ingress annotations can be used to inject arbitrary configurations into Nginx. An attacker can leverage this to execute arbitrary code within the ingress-nginx controller and, subsequently, disclose Secrets accessible to the controller.CVE-2025-24513 (4.8 Medium): Auth Secret File Path Traversal: This vulnerability exists in the ingress-nginx Admission Controller feature. By including attacker-provided data in a filename, it's possible to perform directory traversal within the container. While this may primarily lead to a denial-of-service condition, it could also, when combined with other vulnerabilities, allow for the limited disclosure of Secret objects from the Kubernetes cluster.
Three injection vulnerabilities (CVE-2025-24514, CVE-2025-1097, CVE-2025-1098) can be combined with CVE-2025-1974 to enable unauthenticated remote code execution (RCE) on Kubernetes pods running vulnerable Ingress NGINX Controllers. Successful exploitation could lead to a full cluster takeover. As of March 27, 2025, there is no known active exploitation of these vulnerabilities.
Affected Versions:
< v1.11.0
v1.11.0 - 1.11.4
v1.12.0
What You Can Do?
No action is required from your side. Our systems have been updated to address these vulnerabilities, ensuring your data and systems remain secure.
Relevance to Smartmakers Cloud
CVE-2025-1974: RCE Escalation
The CVE indicates a vulnerability (unauthenticated access) when one has access to the pod network. Our Kubernetes cluster infrastructure is secured within a private network, inaccessible directly from the public internet.
The Kubernetes cluster and management API are kept behind IP whitelisting and are accessible only to designated cluster managers.
We follow the principle of least privilege, ensuring that all accounts and service accounts have the minimal access required.
The scope of the issue is inherently limited by these security measures.
All Remaining CVEs (CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, CVE-2025-24513):
We do not use the vulnerable annotations (
auth-url
,auth-tls-match-cn
,mirror-target
,mirror-host
).We do not allow the modification of ingresses with these annotations, as access is restricted to a limited number of Kubernetes maintainers within our team.
Smartmakers' Commitment to Security
We are committed to maintaining a secure environment for our systems and your data. Our security practices include:
Regular Software Updates: We keep all software, including internal systems, updated to the latest stable versions to address any potential security risks.
Network Monitoring: We have robust network monitoring systems in place to detect any suspicious activity.
Security Best Practices: We strictly adhere to industry best practices for secure system configuration and access control.
Recommendations to On-Prem Customers
Thingshub expects one ingress controller per cluster, and Smartmakers recommends the nginx-ingress-controller.
We strongly recommend that any users managing their own Kubernetes clusters using the Ingress NGINX Controller update to the latest secure versions (1.11.5 or 1.12.1) immediately.
Check if you're affected:
Check if the nginx-ingress-controller is installed:
kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx
If installed, check the version of the nginx-ingress-controller:
kubectl get deployments/nginx-ingress-ingress-nginx-controller -n <namespace> -o yaml | grep "image:"
Find the ...vX.X.X@... section in the output; the X.X.X is your version.
If you are affected, upgrade the nginx-ingress-controller to either:
1.11.5 or 1.12.1, based on the current minor version.
We also suggest checking the security bulletin of your respective Kubernetes engine provider for additional details.
We're Here to Help
If you have any questions or concerns regarding these vulnerabilities or our security practices, please do not hesitate to contact our support team. We are committed to providing a secure and reliable environment for your data.