Why should you care about IngressNightmare?
These vulnerabilities are particularly dangerous because if ingress-nginx is exposed to the internet, attackers can perform unauthenticated remote code execution (RCE) on an Ingress NGINX admission controller. Because by default admission controllers can access all secrets cluster-wide, IngressNightmare can lead to a complete cluster takeover. What makes it even more critical is that a whopping 43% of cloud environments are vulnerable to this attack vector.
Therefore it’s important to update any Ingress NGINX controllers as soon as possible. If you can't update right now, you should immediately disable public exposure of the NGINX Ingress controller.
What is Ingress NGINX Controller?
Ingress NGINX Controller is a widely used Kubernetes component responsible for managing external access to services within a cluster. The controller acts as a reverse proxy and load balancer, managing external traffic access to services within the Kubernetes cluster, routing traffic based on rules defined in Ingress resources.
IngressNightmare vulnerability details
IngressNightmare includes the following vulnerabilities:
- CVE-2025-24513 (CVSS score: 4.8): A security issue in
ingress-nginxwhere attacker-provided data is included in a filename by theingress-nginxAdmission Controller, resulting in directory traversal within the container. This could result in denial of service, or when combined with other vulnerabilities, limited disclosure of secret objects from the cluster. - CVE-2025-24514 (CVSS score: 8.8): A security issue in
ingress-nginxwhere theauth-urlIngress annotation can be used to inject configuration intonginx. This can lead to arbitrary code execution in the context of theingress-nginxcontroller, and disclosure of secrets accessible to the controller. - CVE-2025-1097 (CVSS score: 8.8): A security issue in
ingress-nginxwhere theauth-tls-match-cnIngress annotation can be used to inject configuration intonginx. This can lead to arbitrary code execution in the context of theingress-nginxcontroller, and disclosure of secrets accessible to the controller. - CVE-2025-1098 (CVSS score: 8.8): A security issue in
ingress-nginxwhere themirror-targetandmirror-hostIngress annotations can be used to inject arbitrary configuration intonginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of secrets accessible to the controller. - CVE-2025-1974 (CVSS score: 9.8): A security issue in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the
ingress-nginxcontroller. This can lead to disclosure of Secrets accessible to the controller.
How do I know if I’m affected?
This issue affects ingress-nginx, which is maintained by the Kubernetes open source community. If you don’t have ingress-nginx installed on your cluster, you’re not affected. Note that NGINX Ingress Controller, the official product from NGINX, is not affected.
Not all versions of ingress-nginx are affected. The following versions contain the vulnerabilities:
- All versions prior to v1.11.0
- v1.11.0 - 1.11.4
- v1.12.0
How to mitigate IngressNightmare
To protect against these vulnerabilities, users should take the following measures:
- Update Ingress NGINX Controller for Kubernetes: Ensure that you are running the latest patched version of the Ingress NGINX Controller.
- Apply network policies: Minimize public exposure and restrict access to the
ingress-nginxadmission controller. Preferably only allow access from the Kubernetes API Server. - Monitor and audit logs: Continuously monitor logs for unusual request patterns and unauthorized access attempts.
- Use web application firewalls (WAFs): Deploy a WAF to filter malicious traffic targeting the Ingress controller.
If you cannot upgrade ingress-nginx immediately, temporarily disable the admission controller component to protect against these vulnerabilities.
How Mondoo can help
Mondoo offers an open source security framework called cnspec. Open to the community, cnspec allows you to connect to your Kubernetes environments and scan for vulnerabilities and misconfigurations, including the IngressNightmare vulnerabilities.
Find out if you are vulnerable:
- Connect cnspec to your Kubernetes environments following the cnspec instructions.
- Clone cnspec-policies https://github.com/mondoohq/cnspec-policies.
- Run cnspec scan.
git clone https://github.com/mondoohq/cnspec-policies.git
cd cnspec-policies
cnspec scan k8s -f core/vulnerabilities/mondoo-k8s-nginx-ingress-vulnerability.mql.yaml
cnspec uses policy as code to detect the vulnerability. This provides a fast way to also adjust the policy if required.
k8s.deployments.where(labels["app.kubernetes.io/name"] == "ingress-nginx").none(
version( labels["app.kubernetes.io/version"] ) < version("1.11.5")
)
See the full policy here.
Once the scan is complete, cnspec indicates whether the Kubernetes cluster is at risk:
To see detailed results of the scan, run it with the --output full flag:
cnspec scan k8s -f core/vulnerabilities/mondoo-k8s-nginx-ingress-vulnerability.mql.yaml --output full
About Mondoo
The unauthenticated RCE vulnerability in the Ingress NGINX Controller for Kubernetes underscores the importance of securing Ingress controllers in cloud-native environments. Staying proactive with security updates and configuration hardening is crucial to defending against evolving threats in Kubernetes environments.
This is where Mondoo can help. An intuitive exposure management platform that not only detects issues but helps you fix them as fast as possible, Mondoo helps you proactively bolster your security posture.
Mondoo identifies, prioritizes, and addresses vulnerabilities and misconfigurations in your entire IT infrastructure and SDLC from a single interface—covering on-prem, cloud, SaaS, and endpoints. Unlike siloed approaches, Mondoo enables you to quickly understand your most urgent risks and initiate fast remediation, ensuring optimized security efforts and significantly improving security posture.
