Ingress-nginx CVE 2025-1974 exposes a buffer overflow in the Lua response handler. Attackers can trigger arbitrary code execution in the ingress-nginx controller pod. This flaw affects versions v1.11.0 through v1.12.0. Patch releases v1.11.5 and v1.12.1 remove the vulnerable code paths and harden header parsing. Cluster operators must upgrade immediately to close the window for remote compromise.
Read Ingress-nginx CVE 2025-1974 Patch and Mitigation Guide for details on how to mitigate this security issue.
TL;DR
- CVE-2025-1974 involves a buffer overflow in the Lua rewrite-response module of ingress-nginx.
- Vulnerable releases: ingress-nginx v1.11.0–v1.12.0.
- Upgrade to v1.11.5 or v1.12.1 using Helm or YAML manifests.
- Confirmed exploit allows remote code execution in controller context.
- Apply network policies and enable pod security contexts as interim controls.
- Review ingress rules to avoid untrusted header manipulations.
Ingress-nginx CVE 2025-1974 Overview
On 2025-03-24, the ingress-nginx maintainers published patches for CVE-2025-1974. The defect resides in header parsing routines implemented in Lua. A crafted HTTP response with oversized headers can overrun an internal buffer. Attackers who control backend responses can exploit this flaw to run arbitrary Lua code. Since ingress-nginx runs with elevated privileges by default, an exploit can compromise the entire cluster.
Root Cause: Buffer Overflow in Lua Module
The ingress-nginx controller leverages the OpenResty platform, embedding Lua for dynamic request and response processing. The vulnerable function, ngx_http_lua_ffi_inject_response_headers, fails to validate header length before concatenation. A header exceeding 8KB triggers a stack overflow. The overflow can overwrite adjacent memory, hijacking the control flow. Proof-of-concept code shows an attacker can escalate to code execution in the NGINX worker process.
Impact of Ingress-nginx CVE
Ingress controllers serve as the security perimeter for Kubernetes services. A breach in that layer grants direct network access to internal services and control APIs. Attackers can pivot to Etcd or kubelet APIs. Over 40% of Kubernetes clusters use ingress-nginx. A successful exploit has high blast radius. Multi-tenant clusters face account takeover risks. Regulated workloads risk data exfiltration and compliance violations.
Mitigating Ingress-nginx CVE via Patching
Ingress-nginx v1.12.1 and v1.11.5 include bounds checks and remove the vulnerable Lua code path. Follow these steps to upgrade via Helm:
# Add or update the ingress-nginx chart repo
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
# For clusters on v1.12.x
helm upgrade ingress-nginx ingress-nginx/ingress-nginx \
--namespace ingress-nginx \
--version 1.12.1
# For clusters on v1.11.x
helm upgrade ingress-nginx ingress-nginx/ingress-nginx \
--namespace ingress-nginx \
--version 1.11.5
To upgrade via manifests:
apiVersion: apps/v1
kind: Deployment
metadata:
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
template:
spec:
containers:
- name: controller
image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.59.1
args:
- --v=2
- --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
- --election-id=ingress-controller-leader
- --ingress-class=nginx
- --disable-response-buffering
Ingress-nginx CVE Best Practices
Upgrade alone may not suffice. Implement pod security contexts to run the controller as non-root. Example:
securityContext:
runAsUser: 65534 # nobody
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
Apply a NetworkPolicy to restrict egress only to known backend services:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: restrict-ingress-nginx-egress
namespace: ingress-nginx
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
policyTypes:
- Egress
egress:
- to:
- podSelector:
matchLabels:
role: backend
References
Suggested Reading
PostHashID: 68e6dd5675e5635fc7a692ef07903a19c3b327ce5f0497245ca53b69e5a347b4
