Miggo Logo

CVE-2025-1974: ingress-nginx admission controller RCE escalation

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.9939%
Published
3/25/2025
Updated
3/25/2025
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
k8s.io/ingress-nginxgo
k8s.io/ingress-nginxgo

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper isolation in admission controller validation (CWE-653). The patch notes mention disabling NGINX config validation during admission control, indicating ValidateIngress was involved in insecure validation. The admission controller's webhook setup (createApiserverConfig) likely exposed vulnerable endpoints. These functions would directly handle untrusted input validation and network exposure, aligning with the RCE vector described.

Vulnerable functions

ValidateIngress
internal/ingress/controller/controller.go
Function responsible for validating Ingress resources likely lacked proper input sanitization, allowing malicious configurations to trigger arbitrary code execution through NGINX template generation
createApiserverConfig
internal/ingress/admission/controller.go
Admission controller setup potentially exposed unauthenticated endpoints that processed untrusted input without proper validation

WAF Protection Rules

WAF Rule

* s**urity issu* w*s *is*ov*r** in Ku**rn*t*s w**r* un**r **rt*in *on*itions, *n un*ut**nti**t** *tt**k*r wit* ****ss to t** po* n*twork **n ***i*v* *r*itr*ry *o** *x**ution in t** *ont*xt o* t** in*r*ss-n*inx *ontroll*r. T*is **n l*** to *is*losur*

Reasoning

T** vuln*r**ility st*ms *rom improp*r isol*tion in **mission *ontroll*r `v*li**tion` (*W*-***). T** p*t** not*s m*ntion *is**lin* N*INX `*on*i*` v*li**tion *urin* **mission *ontrol, in*i**tin* `V*li**t*In*r*ss` w*s involv** in ins**ur* `v*li**tion`.