SECURITY VULNERABILITY NOTICE

"Ingress Nightmare" CVE-2025-24513 and CVE-2025-24514 and CVE-2025-1097 and CVE-2025-1098 and CVE-2025-1974

Update 3/26/2025

Alerted Vulnerabilities

On 3/25/2025 Wind River became aware of a set of five Vulnerabilities in NGINX, and having CVSS Severity Scores ranging from 4.8 to 9.8:

  • CVE-2025-24513 (CVSS score: 4.8) – An improper input validation vulnerability that could result in directory traversal within the container, leading to denial-of-service (DoS) or limited disclosure of secret objects from the cluster when combined with other vulnerabilities
  • CVE-2025-24514 (CVSS score: 8.8) – The auth-url Ingress annotation can be used to inject configuration into NGINX, resulting in arbitrary code execution in the context of the ingress-nginx controller and disclosure of secrets accessible to the controller
  • CVE-2025-1097 (CVSS score: 8.8) – The auth-tls-match-cn Ingress annotation can be used to inject configuration into NGINX, resulting in arbitrary code execution in the context of the ingress-nginx controller and disclosure of secrets accessible to the controller.
  • CVE-2025-1098 (CVSS score: 8.8) – The mirror-target and mirror-host Ingress annotations can be used to inject arbitrary configuration into NGINX, resulting in arbitrary code execution in the context of the ingress-nginx controller and disclosure of secrets accessible to the controller
  • CVE-2025-1974 (CVSS score: 9.8) – An unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller under certain conditions

https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities

Affected ingress-nginx Versions

This issue affects ingress-nginx. If you do not have ingress-nginx installed on your cluster, you are not affected. You can check this by running `kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx`.

Affected Versions:

  • v1.11.0
  • v1.11.0 - 1.11.4
  • v1.12.0"

https://github.com/kubernetes/kubernetes/issues/131009

Wind River Response

Wind River immediately activated our Product Security Incident Response Team (PSIRT) and completed the Triage and inventory of affected products. We are finalizing the incorporation and release plans for the remediations identified below. 

Mitigation

For customer's requiring an immediate response in your environments, you may mitigate the impacts of these vulnerabilities by "turning off the Validating Admission Controller feature of ingress-nginx", according to the instructions provided here: https://kubernetes.io/blog/2025/03/24/ingress-nginx-cve-2025-1974/

Remediation

The upstream has "released ingress-nginx v1.12.1 and v1.11.5, which have fixes for all five of these vulnerabilities": https://kubernetes.io/blog/2025/03/24/ingress-nginx-cve-2025-1974/

Next Steps

Please visit the Wind River Security Center for ongoing updates at https://www.windriver.com/security.  We are also reaching out to affected customers shortly through the established customer support channels for release of the upstream fix remediations.  

Additional Resources

Please access these additional resources for these and all vulnerabilities:

Wind River customers with additional questions about these vulnerabilities should contact Wind River Customer Support or their local Wind River sales representative for more information. If you own a device that may be impacted by these vulnerabilities, please contact your device manufacturer.