Help Center/ Cloud Container Engine_Autopilot/ Product Bulletin/ Vulnerability Notices/ Notice of the NGINX Ingress Controller Vulnerabilities (CVE-2025-1974, CVE-2025-1097, CVE-2025-1098, CVE-2025-24513, and CVE-2025-24514)

Updated on 2025-03-27 GMT+08:00

View PDF

Notice of the NGINX Ingress Controller Vulnerabilities (CVE-2025-1974, CVE-2025-1097, CVE-2025-1098, CVE-2025-24513, and CVE-2025-24514)

The Kubernetes community recently identified five security vulnerabilities (CVE-2025-1974, CVE-2025-1097, CVE-2025-1098, CVE-2025-24513, and CVE-2025-24514) that could potentially allow attackers to run unauthorized code or interrupt services.

CVE-2025-1974: This high-risk vulnerability was discovered in the NGINX Ingress Controller. It enables unauthenticated attackers to access the pod network under specific conditions and execute arbitrary code in the context of the NGINX Ingress Controller, potentially leading to sensitive information exposure.
CVE-2025-1097: This high-risk vulnerability was discovered in the NGINX Ingress Controller where the auth-tls-match-cn annotation in the ingress objects can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the NGINX Ingress Controller and disclosure of secrets accessible to the controller.
CVE-2025-1098: This high-risk vulnerability was discovered in the NGINX Ingress Controller where the mirror-target and mirror-host annotations in the ingress objects can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the NGINX Ingress Controller and disclosure of secrets accessible to the controller.
CVE-2025-24513: This vulnerability was discovered in the NGINX Ingress Controller. It allows the malicious data provided by attackers to be included in a file name by the admission controller feature, potentially leading to directory traversal within containers. This could result in denial of service (DoS) or limited disclosure of secret objects when combined with other vulnerabilities.
CVE-2025-24514: This high-risk vulnerability was discovered in the NGINX Ingress Controller where the auth-url annotation in the ingress objects can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the NGINX Ingress Controller and disclosure of secrets accessible to the controller.

Vulnerability Details

**Table 1** Vulnerability details
Type	CVE-ID	Severity	Discovered
Code execution	CVE-2025-1974	High	2025-03-24
Code execution	CVE-2025-1097	High	2025-03-24
Code execution	CVE-2025-1098	High	2025-03-24
Code execution	CVE-2025-24514	High	2025-03-24
Denial of service	CVE-2025-24513	Medium	2025-03-24

Impact

These vulnerabilities affect the open source NGINX Ingress Controller of the following versions:

v1.11.0 or earlier
v1.11.0 to v1.11.4
v1.12.0

NGINX Ingress Controller v2.4.14 or earlier for CCE Autopilot is also affected by these vulnerabilities. For details about the mapping between this add-on and open-source versions, see NGINX Ingress Controller Release History.

Identification Method

Go to the Add-ons page and check whether the NGINX Ingress Controller add-on has been installed.
Figure 1 Viewing the installed add-on version
If it is installed, check its version. If the add-on version is v2.4.14 or earlier, it is affected by these vulnerabilities, or the add-on is safe from these vulnerabilities.

Solution

CCE Autopilot will release a new version of the NGINX Ingress Controller add-on to address these vulnerabilities. Keep an eye out for NGINX Ingress Controller Release History.

For the CVE-2025-1974 vulnerability, you can disable the admission check of the NGINX Ingress Controller add-on. The procedure is as follows:
- If the NGINX Ingress Controller add-on version is earlier than v2.4.13, admission webhook is disabled by default. No workaround is required.
- Disable admission webhook during off-peak hours.
1. Log in to the CCE console and click the cluster name to access the cluster console.
2. In the navigation pane, choose Add-ons. In the right pane, find the NGINX Ingress Controller add-on and click Manage. In the window that slides out from the right, select the add-on version that is affected by the vulnerabilities and click Edit.
  Figure 2 Managing the add-on
3. In the Edit Add-on dialog box, disable Admission Check and click OK in the lower right corner. Wait until the add-on status changes to Normal.
  Figure 3 Disabling admission check
4. Upgrade NGINX Ingress Controller to the specified version with these vulnerabilities fixed. Then you can enable admission check.
  
  Disabling admission check in NGINX Ingress Controller will bypass the pre-verification of ingress configurations, which may lead to configuration errors and affect service reliability and stability. After disabling the admission check, ensure the ingress configuration is valid when creating or updating the ingress. Verify the configuration thoroughly in a test environment before deploying it to production.
For CVE-2025-1097, CVE-2025-1098, and CVE-2025-24514, disabling the admission check mitigates the vulnerability risk. Before fixing these vulnerabilities, grant only the permissions for creating and managing ingresses to trusted users based on the principle of least privilege. For details, see Namespace Permissions (Kubernetes RBAC-based).
1. Log in to the CCE console.
2. Go to the Permissions page, select the target cluster, and click Add Permission in the upper right corner.
3. Specify the user or user group, namespace, and permission type to be granted, and click View Details.
4. Click Clone.
5. Enter the name of the new custom permission.
6. Delete the ingress role and click OK.
7. Return back to the page for adding permissions, set Permission Type to Custom, and select the custom permission created in the previous step.
8. Click OK.