Kubernetes Ingress NGINX Controller vulnerabilities

TSB-839: Kubernetes Ingress NGINX Controller vulnerabilities.

Five vulnerabilities affecting the Ingress Nginx Controller for Kubernetes were publicly disclosed on March 24, 2025, and were given the nickname "IngressNightmare."

The ‘IngressNightmare’ vulnerabilities may allow Remote Code Execution (RCE) and potentially expose Kubernetes clusters to malicious configuration modifications. Exploitation requires specially crafted HTTP requests that bypass security measures, such as a Web Application Firewall (WAF). Successful exploitation may lead to complete cluster compromise, data exfiltration, and denial of service.

Details of the CVEs:

CVE-2025-1974 (CVSS score: 9.8) – An unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller under certain conditions
CVE-2025-24514 (CVSS score: 8.8) – The auth-url Ingress annotation can be used to inject configuration into NGINX, resulting in arbitrary code execution in the context of the ingress-nginx controller and disclosure of secrets accessible to the controller
CVE-2025-1097 (CVSS score: 8.8) – The auth-tls-match-cn Ingress annotation can be used to inject configuration into NGINX, resulting in arbitrary code execution in the context of the ingress-nginx controller and disclosure of secrets accessible to the controller
CVE-2025-1098 (CVSS score: 8.8) – The mirror-target and mirror-host Ingress annotations can be used to inject arbitrary configuration into NGINX, resulting in arbitrary code execution in the context of the ingress-nginx controller and disclosure of secrets accessible to the controller
CVE-2025-24513 (CVSS score: 4.8) – An improper input validation vulnerability that could result in directory traversal within the container, leading to denial-of-service (DoS) or limited disclosure of secret objects from the cluster when combined with other vulnerabilities

Action required

Multiple mitigation scenarios are possible depending on the version of Cloudera Data Services deployed.

Check your Data Services version.
To determine which version of Data Services is running, log into Cloudera Manager UI, click “Data Services” in the left sidebar, and find each Data Services cluster's version(s).
Check your Cloudera Manager version.
To determine which version of Cloudera Manager is running, log into Cloudera Manager UI and click on the version number at the lower-left corner of the home page. The Cloudera Manager 7.11.3 CHF8 Build number shows 56304673.

Mitigation steps for Cloudera Data Services On Premises:

No action is needed in the following scenarios:
- Running Data Services on OpenShift Container Platform (OCP) and using the default HAproxy ingress controller. If you have customized OCP to use NGINX as the ingress controller, please contact RedHat support for further information
- Running Data Services 1.5.4 or later with Cloudera Manager 7.11.3 CHF8 or later. These versions already disable the affected admission webhook component.
Data Services before 1.5.4, or Cloudera Manager prior to 7.11.3 CHF8, perform one of the following:
- (Recommended) Upgrade Cloudera Manager to version 7.13.1 CHF1 or higher and all Embedded Container Service clusters to 1.5.4 SP2 or higher. This will not upgrade the nginx version but will automatically disable the webhook via Cloudera Manager, which mitigates the CVEs.
- If an upgrade is not possible, follow the below steps to disable the webhook to mitigate the CVEs manually.
  note
  These steps should be run on each ECS cluster. If you create a new ECS cluster while on an affected release, reapply these steps on the new cluster(s).

SSH into the ECS server host.

Create the following YAML file to patch the built-in Nginx Ingress Controller Helm Chart:


apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
 name: rke2-ingress-nginx
 namespace: kube-system
spec:
 valuesContent: |-
  controller:
   admissionWebhooks:
    enabled: false

Run the following commands to apply the patch:


alias kubectl=/var/lib/rancher/rke2/bin/kubectl
export KUBECONFIG=/etc/rancher/rke2/rke2.yaml
kubectl apply -f <PATCH_FILENAME>.yaml

For the latest update on this issue, see the corresponding Knowledge article: TSB 2025-839: Critical Kubernetes Ingress NGINX Controller Vulnerability Allows RCE Without Authentication

For the latest update on this issue, see the corresponding Data Services Knowledge article: https://my.cloudera.com/knowledge/TSB-2025-839-Mitigation-steps-for-Cloudera-Data-Services-on?id=405006