The Kubernetes project has released patches for five critical vulnerabilities in the popular Ingress NGINX Controller component, used to route external traffic to Kubernetes services. If exploited, these flaws could allow attackers to completely take over entire clusters, putting sensitive data and resources at risk.

The vulnerabilities, dubbed "IngressNightmare" by the Wiz research team that discovered them, are tracked as CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974, and CVE-2025-24513. According to Wiz, about 43% of cloud environments are vulnerable to these vulnerabilities, with over 6,500 clusters, including those of Fortune 500 companies, publicly exposing vulnerable Kubernetes ingress controllers to the public internet.

Kubernetes is the most popular container orchestration system, used to automate the deployment of applications in cloud environments by splitting them into networks of microservices that run independently inside their own secure containers or groups of containers called pods. The Ingress NGINX Controller, which leverages the NGINX web server and reverse proxy, is one of the most popular ingress controllers and is commonly used as an example in official documentation. Wiz found that over 41% of internet-facing Kubernetes clusters are running Ingress-NGINX.

The admission controller in Ingress-NGINX is used to process incoming ingress objects, create matching NGINX configurations based on them, and then validate them to decide how and where to route requests. The vulnerabilities found by Wiz allow an attacker to inject configuration parameters, which, when validated, cause the NGINX validator to execute arbitrary code. This could lead to the exposure of all cluster secrets and potentially allow an attacker to take over the entire cluster.

The CVE-2025-1974 vulnerability is the most serious, with a severity score of 9.8 on the CVSS scale. It allows anyone with access to the Pod network to exploit the other configuration injection vulnerabilities, which would otherwise require privileged actions to exploit. The Kubernetes maintainers warned that "anything on the Pod network has a good chance of taking over your Kubernetes cluster, with no credentials or administrative access required."

To mitigate the flaws, administrators can upgrade the Ingress-NGINX component to one of the patched versions. In situations where an immediate version upgrade is not possible, admins can reduce risk by deleting the ValidatingWebhookConfiguration called ingress-nginx-admission and removing the –validating-webhook argument from the ingress-nginx-controller container's Deployment or DaemonSet. However, the Validating Admission Controller should not remain disabled for a long time, as it provides safeguards against bad ingress configurations to legitimate users.

The discovery of these critical vulnerabilities highlights the importance of regular security audits and patch management in cloud environments. As Kubernetes continues to be a widely adopted technology, it is essential for organizations to prioritize the security and integrity of their cloud infrastructure to prevent potential breaches and data leaks.

For more information on strengthening Kubernetes defenses, read our related article, "How to Strengthen Your Kubernetes Defenses."