Ingress-nginx Bug Allows Complete Takeover of Kubernetes Cluster

Containers of a Sinking Container Ship

Kubernetes clusters using ingress-nginx can be taken over by hackers. A recently discovered vulnerability in ingress-nginx makes it possible to take over a cluster without requiring administrator rights.

A dangerous new bug allows attackers to take over Kubernetes clusters. The vulnerability is in ingress-nginx, which is a widely used ingress controller within Kubernetes environments. According to the Kubernetes Security Response Committee, this tool is used in more than 40 percent of all Kubernetes clusters.

From Pod Access to Takeover

The combination of five recently patched vulnerabilities makes it possible for an attacker to inject commands via the Validating Admission Controller. For this, the hacker only needs access to the Pod network. The exploited functionality is ironically intended to warn users about incorrect configurations, but in this case turns out to be a gateway for attacks.

The most severe vulnerability (CVE-2025-1974) receives a CVSS score of 9.8, classifying it as critical. By exploiting this vulnerability, sensitive data can be leaked. Since ingress-nginx has default access to Kubernetes Secrets across the entire cluster, an attacker can use the hack to completely take over a cluster.

Tabitha Sable from the Kubernetes Security Response Committee describes the situation as follows: “Anything on the Pod network has a good chance of taking over your Kubernetes cluster, without requiring login credentials or administrator access.”

Updates or Temporary Mitigation

The developers of ingress-nginx have released two new versions: v1.12.1 and v1.11.5. Both versions patch all five vulnerabilities, including CVE-2025-1974. Given the severity, administrators are advised to implement the updates as soon as possible.

Those who cannot update immediately can disable the Validating Admission Controller as a temporary measure. This can be done via Helm by setting the value controller.admissionWebhooks.enabled=false during reinstallation, or manually by removing the ValidatingWebhookConfiguration ngress-nginx-admission. It’s also possible to modify the ingress-nginx-controller deployment or daemonset and remove the argument —validating-webhook.

When it is possible to install the updates, it’s a good idea to re-enable the functionality, as it helps users detect errors in their Ingress configurations early on.

The bugs in ingress-nginx are serious and the consequences of exploitation are significant. According to researchers from Wiz, who discovered the bugs, at least 6,500 clusters worldwide are vulnerable. Wiz dramatically calls the bug #IngressNightmare.