All Products
Search
Document Center

Container Service for Kubernetes:How to fix vulnerabilities CVE-2025-1097, CVE-2025-1098, CVE-2025-1974, CVE-2025-24513, and CVE-2025-24514

Last Updated:Mar 28, 2025

The Kubernetes community has disclosed multiple security vulnerabilities related to NGINX Ingress controller, namely CVE-2025-1097, CVE-2025-1098, CVE-2025-1974, CVE-2025-24513, and CVE-2025-24514.

Impacts

CVE ID

Severity

CVSS score

Description

Risk

Reference

CVE-2025-1097

High

8.8

Attackers with Ingress resource write permissions can exploit the auth-tls-match-cn annotation provided by the NGINX Ingress community to inject malicious configurations.

Attackers may execute arbitrary code in the ingress-nginx controller context and further obtain Secrets across the cluster.

#131007

CVE-2025-1098

High

8.8

Attackers with Ingress resource write permissions can exploit the mirror-target and mirror-host annotations provided by the NGINX Ingress community to inject malicious configurations.

#131008

CVE-2025-1974

Critical

9.8

Attackers with intranet access can bypass the validating admission webhook to inject configurations.

#131009

CVE-2025-24514

High

8.8

Attackers with Ingress resource write permissions can exploit the auth-url annotation provided by the NGINX Ingress community to inject malicious configurations.

#131006

CVE-2025-24513

Medium

4.8

NGINX Ingress controller fails to adequately validate or filter input data submitted by users with write permissions to Ingress resources. Attackers can exploit this vulnerability to craft malicious requests, injecting unauthorized data into the configuration file generation path.

Directory traversal vulnerabilities within the container may be triggered. This vulnerability may cause denial of service (DoS), or when combined with other vulnerabilities, lead to the leakage of limited Secrets instances in the cluster.

#131005

Affected scope

Clusters without NGINX Ingress controller installed are not affected. Use the following steps to check if your cluster has this component installed:

  • Installed through the Add-ons page

    Method 1: Check on the Add-ons page

    1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

    2. On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, choose Operations > Add-ons.

    3. On the Add-ons page, search and locate Nginx Ingress Controller, and check on the component card whether the component is installed and its current version.

    Method 2: Query using the following command:

    kubectl get pods -n kube-system --selector app=ingress-nginx
  • Installed through the Marketplace (Helm Chart)

    1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

    2. On the Clusters page, find the cluster that you want to manage and click its name. In the left-side navigation pane, choose Applications > Helm.

    3. In the Helm list, check if ack-ingress-nginx or ack-ingress-nginx-v1 exists in the Chart Name column, where Application Version is the current version of the NGINX Ingress controller component.

      image

Affected NGINX Ingress controller versions:

  • < v1.11.5

  • v1.12.0

Clusters are not affected if the admission webhook is disabled.

  • If installed through the Add-ons page, execute kubectl get validatingwebhookconfigurations ingress-nginx-admission to confirm whether it is enabled.

  • If installed through the marketplace, view the basic information of the related application and check if any resource of type ValidatingWebhookConfiguration exists.

Solutions

The community has patched these vulnerabilities in the following NGINX Ingress controller versions:

  • v1.11.5

  • v1.12.1

References:

The solutions for NGINX Ingress controller installed from the Add-ons page and the marketplace (Helm Chart) are different.

Add-on management

  • Before updating to the patch version, find the Nginx Ingress Controller component on the Add-ons page of the target cluster and manually disable the admission webhook feature to reduce risk. For details, see Manage NGINX Ingress controller.

    image

  • NGINX Ingress controller has fixed the related vulnerabilities in v1.11.5. See NGINX Ingress controller release notes, and update NGINX Ingress controller to v1.11.5 or later during off-peak hours.

    Important

    After the update is complete, make sure to re-enable the admission webhook feature. This feature serves as a pre-validation mechanism for Ingress configurations and can effectively improve service reliability and stability. Before your Ingress configuration creation or update takes effect, admission webhook will alert you about errors in the Ingress configuration, so that you can prevent problems from occurring.

Marketplace

  • Before updating to the patch version, manually delete the related validation webhook for prevention.

  • NGINX Ingress controller has fixed the related vulnerabilities in v1.11.5. Check the component release notes on the console's Marketplace page or Helm page, and update ack-ingress-nginx on the Marketplace page to v1.11.5 or later during off-peak hours.