A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

Affected Packages

Go k8s.io/ingress-nginx

Affected versions: 0 (fixed in 1.11.5)

Go k8s.io/ingress-nginx

Affected versions: 1.12.0-beta.0 (fixed in 1.12.1)

Related CVEs

CVE-2025-1974

Key Information

GHSA ID

GHSA-mgvx-rpfc-9mpv

Published

March 25, 2025 12:30 AM

Last Modified

March 25, 2025 3:10 PM

CVSS Score

9.0 /10

Primary Ecosystem

Primary Package

k8s.io/ingress-nginx

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 25, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.