Critical Security Alert for Nginx: Dubbed The Ingress Nightmare Vulnerabilities

Posted on by Farayi Dzichauya

Whats wrong with Nginx

A series of dangerous security flaws have been discovered in the Ingress NGINX Controller, a popular tool used in Kubernetes environments. These flaws are collectively known as “IngressNightmare.”

These vulnerabilities allow attackers to break into your Kubernetes clusters without needing passwords or authentication. Once inside, they can:

  • Run malicious code on your systems
  • Access and steal sensitive information (secrets)
  • Potentially take control of your entire cluster

The Four Vulnerabilities Explained

  1. CVE-2025-1097: A flaw in the auth-tls-match-cn annotation that lets attackers inject harmful configuration code.
  2. CVE-2025-1098: Similar issues with the mirror-target and mirror-host annotations that can be manipulated to run unauthorised code.
  3. CVE-2025-1974: A vulnerability allowing unauthenticated attackers with network access to execute code within the controller.
  4. CVE-2025-24514: A security hole in the auth-url annotation that can be exploited to inject malicious configuration.

Attack Vector Assessment

Ingress NGINX deploys an admission controller within its pod, designed to validate incoming ingress objects before they are deployed. By default, admission controllers are accessible over the network without authentication, making them a highly appealing attack vector. 

When the Ingress-NGINX admission controller processes an incoming ingress object, it constructs an NGINX configuration from it and then validates it using the NGINX binary.  Wiz identified a vulnerability in this phase that allows injecting an arbitrary NGINX configuration remotely, by sending a malicious ingress object directly to the admission controller through the network.  

During the configuration validation phase, the injected NGINX configuration causes the NGINX validator to execute code, allowing remote code execution (rce) on the Ingress NGINX Controller’s pod. 

The admission controller’s elevated privileges and unrestricted network accessibility create a critical escalation path. Exploiting this flaw allows an attacker to execute arbitrary code and access all cluster secrets across namespaces, that could lead to complete cluster takeover.

Why This Is Serious

In default installations, the Ingress NGINX Controller has access to ALL secrets across your entire cluster. This means attackers exploiting these flaws can potentially access your most sensitive information. This attack vector has been assigned a CVSS v3.1 base score of 9.8. 

Based on research conducted by wiz, about 43% of cloud environments are vulnerable to these vulnerabilities, their research uncovering over 6,500 clusters, which include Fortune 500 companies, which publicly expose vulnerable Kubernetes ingress controllers’ admission controllers to the public internet—putting them at immediate critical risk. 

What You Should Do

  • Update your Ingress NGINX Controller immediately
  • Review your cluster for suspicious activity
  • Consider temporarily restricting access to your Kubernetes API server
  • Check the official Kubernetes security announcements for detailed mitigation steps

If you’re running Kubernetes with Ingress NGINX, treating this as a high-priority security issue is strongly recommended.