Ingress-nginx CVE-2025-1974 - how Kubewarden can help you
Author:
Published:
Last week, a high severity issue CVE-2025-1974 was found affecting ingress-nginx, one of the most used ingress solutions for Kubernetes.
The issue
The issue allows an attacker to execute arbitrary code in the Pod running the controller. The attacker can then steal the Kubernetes identity of the nginx-ingress controller which, by design, has access to all the Secrets defined in the cluster.
The issue is exploited by making http requests against the validating webhook server used
by the nginx-ingress controller. Only the Kubernetes API server should be allowed to make
requests against the webhook endpoint.
However, it was discovered that certain clusters are even exposing this webhook endpoint
outside of the cluster, for example by using an Ingress
resource.
How Kubewarden can help you
Two new Kubewarden policies have been created to help Kubernetes administrators.
Identify webhook endpoints that are accidentally exposed
The first policy, named do-not-expose-admission-controller-webhook-services
,
validates the creation and update of ValidatingWebhookConfiguration
and MutatingWebhookConfiguration
resources.
The policy queries the Kubernetes API to identify services exposed externally via Ingress resources.
Block dangerous nginx-ingress annotation
The second policy, written by a community member, is named ingressnightmare-policy
.
The policy validates Ingress
resources and prevents the usage of some, but not all, dangerous nginx-ingress annotations
that can be abused as described in CVE-2025-1974.
Audit Scanner
These policies can also help identify existing workloads that may be vulnerable to CVE-2025-1974.
Using the audit scanner feature, Kubernetes administrators can detect and flag the following resources:
(Validating|Mutating)WebhookConfiguration
objects that rely on publicly exposed webhook endpoints.Ingress
objects that could be exploited by attackers because of the usage of unsafe annotations.
Once flagged by Kubewarden, you can review and remediate these resources to enhance the cluster’s security posture.
Getting in touch
As always, we welcome your feedback and contributions. Feel free to reach out to us on Slack and GitHub discussions.