CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974: Ingress NGINX Controller RCE (Critical)
Last updated
Was this helpful?
Last updated
Was this helpful?
On March 24, 2025, WIZ Research disclosed critical vulnerabilities in the Kubernetes Ingress NGINX Controller that allow unsensitized user input to be injected into the temporary NGINX configuration file during validation. This unsensitized input, when processed by the nginx -t command, can lead to remote code execution (RCE) on the pod running the controller.
Additional information can be found in this blog.
Important Note: In order to exploit this vulnerability, the attacker must have network access to the ingress controller’s pod to send arbitrary AdmissionReview requests. While such access is not available by default in many environments, it can be achieved if the attacker gains a foothold within the cluster - such as through compromising another pod - or by leveraging SSRF vulnerabilities. This requirement raises the barrier for exploitation, although it does not eliminate the risk.
Our security team verified that our Helm chart deployment of open-appsec / Check Point CloudGuard WAF - which uses the Ingress NGINX Controller - was affected by these vulnerabilities. To address this issue, within 24 hours, we provided the fix by updating the controller to version 1.21.1, which includes all the necessary patches and improvements to ensure proper sanitization of user inputs during configuration generation.
To keep your systems safe, we recommend updating your NGINX helm. You can find all detailed deployment steps with updated Helm chart versions here:
We highly recommend updating your deployment as soon as possible to ensure everything stays secure.