Kubernetes security advisory (AV25-161)

Serial number: AV25-161
Date: March 24, 2025

On March 24, 2025, Kubernetes published a security advisory to address critical vulnerabilities in the following product:

• Kubernetes ingress-nginx controller — versions prior to 1.11.5
• Kubernetes ingress-nginx controller — versions prior to 1.12.1

This vulnerability VulnerabilityA flaw or weakness in the design or implementation of an information system or its environment that could be exploited to adversely affect an organization's assets or operations. allows unauthenticated RCE and wide access to secrets.

The vulnerability is rated a CVSS 9.8 and is tracked with the following identifiers: CVE-2025-1097, CVE-2025-1098, CVE-2025-24514 and CVE-2025-1974.

The Cyber Centre encourages users and administrators to review the provided web links and apply the necessary updates.

• Kubernetes - Ingress-nginx CVE-2025-1974: What You Need to Know
• Kubernetes - controller-v1.12.1
• Kubernetes - controller-v1.11.5
• IngressNightmare: 9.8 Critical Unauthenticated Remote Code Execution Vulnerabilities in Ingress NGINX
• AWS - Issues with Kubernetes ingress-nginx controller (Multiple CVEs)
• Microsoft - Kubernetes: Vulnerability in Kubernetes NGINX Ingress Controller
• Google Cloud - Security Bulletins
• Critical Ingress NGINX Controller Vulnerability Allows RCE Without Authentication