Frequently asked questions about five vulnerabilities in the Ingress NGINX Controller for Kubernetes, collectively known as IngressNightmare.

CVE-2025-1097, CVE-2025-1098, CVE-2025-1974, CVE-2025-24513, CVE-2025-24514: Frequently Asked Questions About IngressNightmare

A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

We are monitoring a series of vulnerabilities in the Ingress NGINX Controller for Kubernetes, dubbed IngressNightmare. Organizations are advised to apply available patches.

Ingress NGINX Controller for Kubernetes versions before 1.11.5, and 1.12.x before 1.12.1 suffer from a critical remote code execution vulnerability. Successful exploitation allows an unauthenticated attacker with access to the pod network to achieve remote code execution (RCE) in the controller's context, potentially leading to disclosure of all cluster-wide secrets and cluster takeover.

Note that this plugin requires the 'File Upload' assessment option enabled in the scan configuration.

The version of Ingres-NGINX controller installed on the remote host is prior to 1.11.5/1.12.1. It is, therefore, affected by multiple vulnerabilities as referenced as Ingress Nightmare.

  - A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with     access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This     can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the     controller can access all Secrets cluster-wide.) (CVE-2025-1974)

  - A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the     `mirror-target` and `mirror-host` Ingress annotations can be used to inject arbitrary configuration into nginx.     This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets     accessible to the controller. (Note that in the default installation, the controller can access     all Secrets cluster-wide.) (CVE-2025-1098)   
  - A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the     `auth-tls-match-cn` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary     code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the     controller. (Note that in the default installation, the controller can access     all Secrets cluster-wide.) (CVE-2025-1097)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
114691	Kubernetes Ingress NGINX Controller Arbitrary Code Execution	Web App Scanning	Component Vulnerability	critical
233656	Kubernetes Ingress NGINX Controller Arbitrary Code Execution (CVE-2025-1974)	Nessus	CGI abuses	critical
233357	Ingress-NGINX controller < 1.11.5 / 1.12 < 1.12.1 Multiple Vulnerabilities	Nessus	Misc.	critical

Detections

Analytics

CVE-2025-1974

critical

Tenable Plugins

critical

critical

critical