The Kubernetes community has disclosed multiple security vulnerabilities related to NGINX Ingress controller, namely CVE-2025-1097, CVE-2025-1098, CVE-2025-1974, CVE-2025-24513, and CVE-2025-24514.
Impacts
CVE ID | Severity | CVSS score | Description | Risk | Reference |
High | Attackers with Ingress resource write permissions can exploit the | Attackers may execute arbitrary code in the ingress-nginx controller context and further obtain Secrets across the cluster. | |||
High | Attackers with Ingress resource write permissions can exploit the | ||||
Critical | Attackers with intranet access can bypass the validating admission webhook to inject configurations. | ||||
High | Attackers with Ingress resource write permissions can exploit the | ||||
Medium | NGINX Ingress controller fails to adequately validate or filter input data submitted by users with write permissions to Ingress resources. Attackers can exploit this vulnerability to craft malicious requests, injecting unauthorized data into the configuration file generation path. | Directory traversal vulnerabilities within the container may be triggered. This vulnerability may cause denial of service (DoS), or when combined with other vulnerabilities, lead to the leakage of limited Secrets instances in the cluster. |
Affected scope
Clusters without NGINX Ingress controller installed are not affected. Use the following steps to check if your cluster has this component installed:
Installed through the Add-ons page
Method 1: Check on the Add-ons page
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, choose
.On the Add-ons page, search and locate Nginx Ingress Controller, and check on the component card whether the component is installed and its current version.
Method 2: Query using the following command:
kubectl get pods -n kube-system --selector app=ingress-nginx
Installed through the Marketplace (Helm Chart)
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its name. In the left-side navigation pane, choose .
In the Helm list, check if ack-ingress-nginx or ack-ingress-nginx-v1 exists in the Chart Name column, where Application Version is the current version of the NGINX Ingress controller component.
Affected NGINX Ingress controller versions:
< v1.11.5
v1.12.0
Clusters are not affected if the admission webhook is disabled.
If installed through the Add-ons page, execute
kubectl get validatingwebhookconfigurations ingress-nginx-admission
to confirm whether it is enabled.If installed through the marketplace, view the basic information of the related application and check if any resource of type
ValidatingWebhookConfiguration
exists.
Solutions
The community has patched these vulnerabilities in the following NGINX Ingress controller versions:
v1.11.5
v1.12.1
References:
CVE-2025-1097: ingress-nginx main@06c992a
CVE-2025-1098: ingress-nginx main@2e9f373
CVE-2025-1974: ingress-nginx main@0ccf4ca
CVE-2025-24513: ingress-nginx main@cbc1590
CVE-2025-24514: ingress-nginx main@ab470eb
The solutions for NGINX Ingress controller installed from the Add-ons page and the marketplace (Helm Chart) are different.
Add-on management
Before updating to the patch version, find the Nginx Ingress Controller component on the Add-ons page of the target cluster and manually disable the admission webhook feature to reduce risk. For details, see Manage NGINX Ingress controller.
NGINX Ingress controller has fixed the related vulnerabilities in v1.11.5. See NGINX Ingress controller release notes, and update NGINX Ingress controller to v1.11.5 or later during off-peak hours.
ImportantAfter the update is complete, make sure to re-enable the admission webhook feature. This feature serves as a pre-validation mechanism for Ingress configurations and can effectively improve service reliability and stability. Before your Ingress configuration creation or update takes effect, admission webhook will alert you about errors in the Ingress configuration, so that you can prevent problems from occurring.
Marketplace
Before updating to the patch version, manually delete the related validation webhook for prevention.
NGINX Ingress controller has fixed the related vulnerabilities in v1.11.5. Check the component release notes on the console's Marketplace page or Helm page, and update ack-ingress-nginx on the Marketplace page to v1.11.5 or later during off-peak hours.