IngressNightmare Advisory Briefing (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974)¶
IngressNightmare refers to a set of critical ingress-nginx vulnerabilities disclosed in March 2025 with potential cluster-wide secret exposure risk.
At a Glance¶
| Item | Detail |
|---|---|
| Briefing type | Security briefing |
| Primary audience | Platform security and SRE |
| Action urgency | Triage immediately |
Advisory Summary¶
These vulnerabilities affect ingress-nginx controller deployments and can enable severe privilege abuse depending on exposure and controller permissions. In high-risk setups, attackers can pivot from ingress controller compromise to broader cluster credential access.
Affected Components and Versions¶
- Component:
ingress-nginxcontroller - Advisory date: March 2025
- CVEs: CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974
- Scope: environments running vulnerable controller releases
Confirm exact affected and patched versions from upstream security advisory notes before rollout.
Why It Matters¶
Ingress controllers sit on a high-value trust boundary: they terminate external traffic and often have elevated permissions. A controller exploit is rarely isolated. It can expose service account tokens, TLS material, and other cluster secrets that increase blast radius quickly.
What to Do¶
- Inventory ingress-nginx versions in all clusters and identify vulnerable deployments.
- Patch to fixed versions immediately in internet-facing clusters.
- Rotate high-value credentials and service account tokens after patching.
- Review RBAC scope for ingress controllers and reduce unnecessary permissions.
- Add post-remediation monitoring for abnormal secret access and controller behavior.
Source Links¶
Related Pages¶
- Parent index: Security updates
- Related: CVE-2025-30066 CI supply chain advisory
- Related: Sobolan malware and notebook workload risk
- Newsletter: This Week in Kubernetes
- Evergreen reference: Kubernetes security primer