Why Ingress Nginx’s Architecture Turns Security Into a Nightmare – 5 New Critical CVEs Explained

Background

In 2022 three high‑severity CVEs (CVE‑2021‑25745, CVE‑2021‑25746, CVE‑2021‑25748) were disclosed in the Kubernetes Ingress Nginx controller. After a period of focusing on stability, the project recently revealed five new critical vulnerabilities (CVE‑2025‑1097, CVE‑2025‑1098, CVE‑2025‑24514, CVE‑2025‑1974) with CVSS v3.1 scores up to 9.8, dubbed #IngressNightmare.

Root Cause – Architectural Design Flaw

The controller combines the control‑plane Admission Controller (a Go program) and the data‑plane Nginx process inside a single container. This co‑location gives the Admission Controller high privileges and unrestricted network access, creating a privileged‑escalation path.

Vulnerability Details

CVE‑2025‑24514 – auth‑url annotation injection

CVE‑2025‑1097 – auth‑tls‑match‑cn annotation injection

CVE‑2025‑1098 – mirror UID injection

CVE‑2025‑1974 – Nginx configuration code execution

Exploitation works by sending a malicious AdmissionReview request that injects directives such as ssl_engine into the generated Nginx configuration. The attacker can also abuse the client-body buffer feature to upload a shared library, which is later loaded when the controller runs nginx -t, achieving remote code execution without authentication.

Impact

Wiz Research estimates that about 43 % of cloud environments could be affected. Successful exploitation gives the attacker unrestricted access to all namespaces, the ability to read secrets, and full cluster takeover.

Mitigation and Patch

The vulnerabilities are fixed in Ingress Nginx Controller versions 1.12.1, 1.11.5 and 1.10.7. Users should upgrade immediately and ensure that the Admission Webhook endpoint is not exposed publicly.

Stability Problems Caused by the Same Design

Because the control‑plane and data‑plane share a container, resource contention can trigger liveness‑probe failures, causing the pod to restart. The health‑check endpoint (/healthz on port 10254) may time out under load, leading to traffic loss. Configuration reloads also break long‑lived connections such as WebSockets.

Operational Complexity

Pod IPs change frequently, making static routing brittle.

Configuration files must be kept in sync across multiple Nginx pods.

Persistent storage is required for config and access logs.

Custom monitoring modules need to be installed and integrated with external observability stacks.

Alternative Ingress Solutions

Higress (based on Istio + Envoy) and its commercial counterpart MSE Ingress separate the control‑plane from the data‑plane, use xDS for configuration distribution, and support hot‑reloading via WASM without affecting long connections. They also provide better observability and stability.

Comparison Overview

Both solutions delegate traffic handling to a dedicated data‑plane gateway, while the controller only manages configuration resources. This eliminates the privileged escalation path present in the Nginx Ingress architecture and resolves the stability issues described above.