Skip to Content
Vulnerability TrackingCVE-2025-1974

CVE-2025-1974

Vulnerability Details

Ingress-nginx Controller is a Kubernetes controller that uses Nginx as a reverse proxy and load balancer. Recently, multiple high-risk security vulnerabilities have been disclosed in it, with details as follows:

Vulnerability TypeCVE-IDSeverityDisclosure/Discovery Date
Privilege EscalationCVE-2025-2787High2025-03-26
Code ExecutionCVE-2025-1974High2025-03-24
Code ExecutionCVE-2025-1097High2025-03-24
Code ExecutionCVE-2025-1098High2025-03-24
Denial of ServiceCVE-2025-24513Medium2025-03-24
Code ExecutionCVE-2025-24514High2025-03-24
Authentication BypassCVE-2024-7646High2024-08-16

Impact Scope

  • < 1.11.4
  • 1.12.0 - 1.12.3
  • 1.13.0 - 1.13.2

Vulnerability Self-Check

# v1.10.5 was supported in the previous Nginx Ingress documentation at https://docs.ucloud.cn/uk8s/service/ingress/nginx_1.26, and the document has now been updated to v1.11.5.
$ kubectl get deployment -n ingress-nginx ingress-nginx-controller -oyaml | grep "image:"
image: uhub.service.ucloud.cn/uk8s/ingress-nginx-controller:v1.10.5

Fixing Scheme

Before performing the fix, you need to confirm whether the version of your current Kubernetes cluster supports the version of Ingress - nginx Controller to be upgraded. You can conduct a self - check through the version support of Ingress.

# Check the current cluster version
$ kubectl version
Server Version: v1.28.15

Note: If your cluster does not support the version of Ingress - nginx Controller, it is recommended to upgrade the cluster version first and then upgrade the Ingress - nginx Controller. If you do not consider upgrading the Ingress - nginx Controller for the time being, it is recommended that you disable the configuration affected by the vulnerability (CVE - 2025 - 1974) and only allow trusted users to have the permission to manage ingress resources. For more information, please refer to the Kubernetes RBAC configuration.

# Disable the admission validation configuration
# Before executing kubectl apply - f mandatory.yaml, delete the following lines. Refer to the document: https://kubernetes.github.io/ingress-nginx/user-guide/cli-arguments/
    - --validating-webhook=:8443
    - --validating-webhook-certificate=/usr/local/certificates/cert
    - --validating-webhook-key=/usr/local/certificates/key

If your cluster supports an unaffected version such as 1.11.5, you can upgrade it through the following commands. For the vulnerability CVE - 2025 - 2787, you can pay attention to the official version release logs.

Upgrade Command

$ kubectl -n ingress-nginx patch deployment ingress-nginx-controller --type='json'  -p='[{"op": "replace", "path": "/spec/template/spec/containers/0/image", "value": "uhub.service.ucloud.cn/uk8s/ingress-nginx-controller:v1.11.5"}]'

Check whether the Ingress-nginx Controller Status is Normal

$ kubectl -n ingress-nginx get deployment
NAME                       READY   UP-TO-DATE   AVAILABLE   AGE
ingress-nginx-controller   1/1     1            1           26h
CVE-2021-30465