9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-1974

GHSA ID

GHSA-mgvx-rpfc-9mpv

EPSS Score

0.9939%

CWE

CWE-653

Published

3/25/2025

Updated

3/25/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-1974

CVE-2025-1974: ingress-nginx admission controller RCE escalation

A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-1974

GHSA ID

GHSA-mgvx-rpfc-9mpv

EPSS Score

0.9939%

CWE

CWE-653

Published

3/25/2025

Updated

3/25/2025

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
k8s.io/ingress-nginx	go
k8s.io/ingress-nginx	go

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper isolation in admission controller validation (CWE-653). The patch notes mention disabling NGINX config validation during admission control, indicating ValidateIngress was involved in insecure validation. The admission controller's webhook setup (createApiserverConfig) likely exposed vulnerable endpoints. These functions would directly handle untrusted input validation and network exposure, aligning with the RCE vector described.

Vulnerable functions

ValidateIngress

internal/ingress/controller/controller.go

Function responsible for validating Ingress resources likely lacked proper input sanitization, allowing malicious configurations to trigger arbitrary code execution through NGINX template generation

createApiserverConfig

internal/ingress/admission/controller.go

Admission controller setup potentially exposed unauthenticated endpoints that processed untrusted input without proper validation

WAF Protection Rules

WAF Rule

* s**urity issu* w*s *is*ov*r** in Ku**rn*t*s w**r* un**r **rt*in *on*itions, *n un*ut**nti**t** *tt**k*r wit* ****ss to t** po* n*twork **n ***i*v* *r*itr*ry *o** *x**ution in t** *ont*xt o* t** in*r*ss-n*inx *ontroll*r. T*is **n l*** to *is*losur*

Reasoning

T** vuln*r**ility st*ms *rom improp*r isol*tion in **mission *ontroll*r `v*li**tion` (*W*-***). T** p*t** not*s m*ntion *is**lin* N*INX `*on*i*` v*li**tion *urin* **mission *ontrol, in*i**tin* `V*li**t*In*r*ss` w*s involv** in ins**ur* `v*li**tion`.

9.8

Basic Information

Concerned about an active attack path?

CVE-2025-1974: ingress-nginx admission controller RCE escalation

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI