Kubernetes maintainers disclosed five critical vulnerabilities in ingress-nginx, including CVE-2025-1974 with a CVSS 9.8 rating, warning that attackers on the Pod network could abuse configuration injection in the Validating Admission Controller to take over clusters without credentials. The flaws also affect how ingress-nginx builds NGINX configuration from crafted Ingress objects, potentially exposing Secrets available to the controller and leading to full cluster compromise. Patched releases ingress-nginx v1.12.1 and v1.11.5 were issued, and operators were urged to upgrade immediately or temporarily disable the Validating Admission Controller until patching is complete.
The disclosure adds to broader concerns about Kubernetes networking and multi-tenant isolation, highlighted by CVE-2021-25740, an unpatchable issue that lets users with permission to modify Endpoint or EndpointSlice objects redirect service traffic to unauthorized IP addresses. In shared ingress-controller or load-balancer deployments, that behavior can allow one tenant to steer traffic into another tenant’s workloads and bypass intended network boundaries. Security researchers and vendors said the combined risk is highest in clusters that rely on shared ingress infrastructure with broad Secret access, and recommended tightening EndpointSlice permissions, avoiding shared ingress designs in sensitive environments, and evaluating the Gateway API as a safer architecture.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
Datadog Security Labs published an analysis explaining how CVE-2021-25740 can let users with Endpoint or EndpointSlice modification rights redirect service traffic to unauthorized IPs, particularly in shared multi-tenant ingress or load balancer setups. The article recommended architectural mitigations such as avoiding shared ingress in sensitive environments and restricting tenant EndpointSlice permissions.
A GitHub repository published proof-of-concept exploit code for multiple IngressNightmare flaws, including CVE-2025-1974, CVE-2025-1097, CVE-2025-1098, and CVE-2025-24514. The release made public exploitation details available shortly after Kubernetes disclosed the vulnerabilities and fixes.
Alongside the disclosure, Kubernetes announced patched ingress-nginx versions 1.12.1 and 1.11.5 to remediate the newly disclosed vulnerabilities. As a temporary mitigation, users were advised to disable the Validating Admission Controller until upgrades could be completed.
On March 24, 2025, the Kubernetes Security Response Committee publicly disclosed five critical ingress-nginx vulnerabilities, including CVE-2025-1974. The most severe issue was described as enabling unauthenticated cluster takeover via the ingress-nginx Validating Admission Controller from the Pod network.
Wiz researchers responsibly disclosed a set of five critical ingress-nginx vulnerabilities to the Kubernetes Security Response Committee and worked with SRC members and ingress-nginx maintainers on fixes.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
securitylabs.datadoghq.com
Open sourcegithub.com
Open sourcekubernetes.io
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.