# CVE-2025-1974

## Vulnerability Details

Ingress-nginx Controller is a Kubernetes controller that uses Nginx as a reverse proxy and load balancer. Recently, multiple high-risk security vulnerabilities have been disclosed in it, with details as follows:

| Vulnerability Type | CVE-ID           | Severity | Disclosure/Discovery Date |
|--------------------|------------------|----------|---------------------------|
| Privilege Escalation | CVE-2025-2787    | High     | 2025-03-26                |
| Code Execution     | CVE-2025-1974    | High     | 2025-03-24                |
| Code Execution     | CVE-2025-1097    | High     | 2025-03-24                |
| Code Execution     | CVE-2025-1098    | High     | 2025-03-24                |
| Denial of Service  | CVE-2025-24513   | Medium   | 2025-03-24                |
| Code Execution     | CVE-2025-24514   | High     | 2025-03-24                |
| Authentication Bypass | CVE-2024-7646   | High     | 2024-08-16                |  

## Impact Scope

- < 1.11.4
- 1.12.0 - 1.12.3
- 1.13.0 - 1.13.2

## Vulnerability Self-Check

```
# v1.10.5 was supported in the previous Nginx Ingress documentation at https://docs.ucloud.cn/uk8s/service/ingress/nginx_1.26, and the document has now been updated to v1.11.5.
$ kubectl get deployment -n ingress-nginx ingress-nginx-controller -oyaml | grep "image:"
image: uhub.service.ucloud.cn/uk8s/ingress-nginx-controller:v1.10.5
```

## Fixing Scheme

Before performing the fix, you need to confirm whether the version of your current Kubernetes cluster supports the version of Ingress - nginx Controller to be upgraded. You can conduct a self - check through the version support of Ingress.

```
# Check the current cluster version
$ kubectl version
Server Version: v1.28.15
```

> Note: If your cluster does not support the version of Ingress - nginx Controller, it is recommended to upgrade the cluster version first and then upgrade the Ingress - nginx Controller. If you do not consider upgrading the Ingress - nginx Controller for the time being, it is recommended that you disable the configuration affected by the vulnerability (CVE - 2025 - 1974) and only allow trusted users to have the permission to manage ingress resources. For more information, please refer to the Kubernetes RBAC configuration.

```
# Disable the admission validation configuration
# Before executing kubectl apply - f mandatory.yaml, delete the following lines. Refer to the document: https://kubernetes.github.io/ingress-nginx/user-guide/cli-arguments/
    - --validating-webhook=:8443
    - --validating-webhook-certificate=/usr/local/certificates/cert
    - --validating-webhook-key=/usr/local/certificates/key

```

If your cluster supports an unaffected version such as 1.11.5, you can upgrade it through the following commands. For the vulnerability CVE - 2025 - 2787, you can pay attention to the official version release logs.

### Upgrade Command

```
$ kubectl -n ingress-nginx patch deployment ingress-nginx-controller --type='json'  -p='[{"op": "replace", "path": "/spec/template/spec/containers/0/image", "value": "uhub.service.ucloud.cn/uk8s/ingress-nginx-controller:v1.11.5"}]'
```

### Check whether the Ingress-nginx Controller Status is Normal

```
$ kubectl -n ingress-nginx get deployment
NAME                       READY   UP-TO-DATE   AVAILABLE   AGE
ingress-nginx-controller   1/1     1            1           26h
```