Ingress Nightmare is REAL (and it’s Messy)
by Tech Cynic in Security, Software Development on March 25, 2025Okay, deep breaths everyone. I just finished analyzing a security report that reads like a dystopian sci-fi novel, and I need to share. Forget rogue AI and killer robots, the real threat to your Kubernetes clusters has a name: IngressNightmare. Yes, you read that right. Nightmare. And it’s not the kind you wake up from with a cold sweat; it’s the kind that leaves your entire cloud infrastructure in shambles.
Wiz, the cloud security wizards who unearthed this digital Pandora’s Box, have identified five critical vulnerabilities (CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-1974) in the Ingress NGINX Controller for Kubernetes. A whopping 43% of cloud environments are potentially exposed, and the CVSS score? A chilling 9.8. That’s basically saying, “Abandon all hope, ye who deploy this controller.”
Now, before you start frantically patching everything in sight, let’s break down the horror. This isn’t some garden-variety bug; it’s a perfect storm of misconfiguration and architectural oversight. The Ingress NGINX Controller, designed to be the friendly gatekeeper to your cluster, is apparently leaving the door wide open for attackers.
The core issue? The admission controller component, which should be diligently vetting incoming requests, is accessible over the network without authentication. Seriously? It’s like building a bank vault with a cardboard door. Attackers can inject malicious NGINX configurations via seemingly harmless AdmissionReview requests, effectively hijacking the controller and gaining full access to all your secrets across all namespaces. We’re talking cluster takeover, folks. Complete and utter domination.
Let that sink in.
The vulnerabilities are a delightful (for attackers, anyway) cocktail of injection flaws:
- CVE-2025-24514 – auth-url Annotation Injection (a little sprinkle of badness)
- CVE-2025-1097 – auth-tls-match-cn Annotation Injection (a dash more chaos)
- CVE-2025-1098 – mirror UID Injection (stirring things up nicely)
- CVE-2025-1974 – NGINX Configuration Code Execution (the main course: full-blown remote code execution)
Wiz demonstrated a particularly elegant attack scenario involving uploading a malicious shared library via NGINX’s client-body buffer and then using the injected configuration to load it. It’s like a digital Trojan horse, only instead of Greek soldiers, it’s a full-blown compromise of your Kubernetes cluster.
But here’s the kicker: This isn’t a problem with NGINX Ingress Controller (the other one). It’s specifically the Ingress NGINX Controller. Apparently, two implementations of the same tech can have wildly different security profiles. Who knew? It’s like having two twins, one a cybersecurity expert and the other… well, a walking vulnerability.
Thankfully, there’s a fix. Versions 1.12.1, 1.11.5, and 1.10.7 address these vulnerabilities. Update immediately. And for the love of all that is holy, ensure your admission webhook endpoint isn’t exposed externally. Limit access to the Kubernetes API Server only.
So, there you have it. IngressNightmare. A terrifying reminder that even the most well-intentioned tools can become security liabilities if not properly configured and maintained. Now, if you’ll excuse me, I’m going to go double-check my own cluster… and maybe invest in a good therapist.
Stay vigilant, folks. And remember: in the world of Kubernetes, paranoia is a feature, not a bug.
Sincerely (and slightly traumatized),
The Tech Cynic.