SECURITY VULNERABILITY NOTICE
"Ingress Nightmare" CVE-2025-24513 and CVE-2025-24514 and CVE-2025-1097 and CVE-2025-1098 and CVE-2025-1974
Update 3/26/2025
Alerted Vulnerabilities
On 3/25/2025 Wind River became aware of a set of five Vulnerabilities in NGINX, and having CVSS Severity Scores ranging from 4.8 to 9.8:
- CVE-2025-24513 (CVSS score: 4.8) – An improper input validation vulnerability that could result in directory traversal within the container, leading to denial-of-service (DoS) or limited disclosure of secret objects from the cluster when combined with other vulnerabilities
- CVE-2025-24514 (CVSS score: 8.8) – The auth-url Ingress annotation can be used to inject configuration into NGINX, resulting in arbitrary code execution in the context of the ingress-nginx controller and disclosure of secrets accessible to the controller
- CVE-2025-1097 (CVSS score: 8.8) – The auth-tls-match-cn Ingress annotation can be used to inject configuration into NGINX, resulting in arbitrary code execution in the context of the ingress-nginx controller and disclosure of secrets accessible to the controller.
- CVE-2025-1098 (CVSS score: 8.8) – The mirror-target and mirror-host Ingress annotations can be used to inject arbitrary configuration into NGINX, resulting in arbitrary code execution in the context of the ingress-nginx controller and disclosure of secrets accessible to the controller
- CVE-2025-1974 (CVSS score: 9.8) – An unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller under certain conditions
https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities
Affected ingress-nginx Versions
This issue affects ingress-nginx. If you do not have ingress-nginx installed on your cluster, you are not affected. You can check this by running `kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx`.
Affected Versions:
- v1.11.0
- v1.11.0 - 1.11.4
- v1.12.0"
https://github.com/kubernetes/kubernetes/issues/131009
Wind River Response
Wind River immediately activated our Product Security Incident Response Team (PSIRT) and completed the Triage and inventory of affected products. We are finalizing the incorporation and release plans for the remediations identified below.
Mitigation
For customer's requiring an immediate response in your environments, you may mitigate the impacts of these vulnerabilities by "turning off the Validating Admission Controller feature of ingress-nginx", according to the instructions provided here: https://kubernetes.io/blog/2025/03/24/ingress-nginx-cve-2025-1974/
Remediation
The upstream has "released ingress-nginx v1.12.1 and v1.11.5, which have fixes for all five of these vulnerabilities": https://kubernetes.io/blog/2025/03/24/ingress-nginx-cve-2025-1974/
Next Steps
Please visit the Wind River Security Center for ongoing updates at https://www.windriver.com/security. We are also reaching out to affected customers shortly through the established customer support channels for release of the upstream fix remediations.
Additional Resources
Please access these additional resources for these and all vulnerabilities:
- Wind River Security Center
- Wind River Product CVE Database
- Product-Specific Security Alerts and RSS Subscription
Wind River customers with additional questions about these vulnerabilities should contact Wind River Customer Support or their local Wind River sales representative for more information. If you own a device that may be impacted by these vulnerabilities, please contact your device manufacturer.