Kubewarden

The Kubewarden blog

Ingress-nginx CVE-2025-1974 - how Kubewarden can help you

Author: Flavio Castelli

Published:

Last week, a high severity issue CVE-2025-1974 was found affecting ingress-nginx, one of the most used ingress solutions for Kubernetes.

The issue

The issue allows an attacker to execute arbitrary code in the Pod running the controller. The attacker can then steal the Kubernetes identity of the nginx-ingress controller which, by design, has access to all the Secrets defined in the cluster.

The issue is exploited by making http requests against the validating webhook server used by the nginx-ingress controller. Only the Kubernetes API server should be allowed to make requests against the webhook endpoint. However, it was discovered that certain clusters are even exposing this webhook endpoint outside of the cluster, for example by using an Ingress resource.

How Kubewarden can help you

Two new Kubewarden policies have been created to help Kubernetes administrators.

Identify webhook endpoints that are accidentally exposed

The first policy, named do-not-expose-admission-controller-webhook-services, validates the creation and update of ValidatingWebhookConfiguration and MutatingWebhookConfiguration resources.

The policy queries the Kubernetes API to identify services exposed externally via Ingress resources.

Block dangerous nginx-ingress annotation

The second policy, written by a community member, is named ingressnightmare-policy. The policy validates Ingress resources and prevents the usage of some, but not all, dangerous nginx-ingress annotations that can be abused as described in CVE-2025-1974.

Audit Scanner

These policies can also help identify existing workloads that may be vulnerable to CVE-2025-1974.

Using the audit scanner feature, Kubernetes administrators can detect and flag the following resources:

  • (Validating|Mutating)WebhookConfiguration objects that rely on publicly exposed webhook endpoints.
  • Ingress objects that could be exploited by attackers because of the usage of unsafe annotations.

Once flagged by Kubewarden, you can review and remediate these resources to enhance the cluster’s security posture.

Getting in touch

As always, we welcome your feedback and contributions. Feel free to reach out to us on Slack and GitHub discussions.