Kubernetes Ingress NGINX Controller vulnerabilities

Five vulnerabilities affecting the Ingress Nginx Controller for Kubernetes were publicly disclosed on March 24, 2025, and were given the nickname 'IngressNightmare'.

The ‘IngressNightmare’ vulnerabilities may allow Remote Code Execution (RCE) and potentially expose Kubernetes clusters to malicious configuration modifications. Exploitation requires specially crafted HTTP requests that bypass security measures, such as a Web Application Firewall (WAF). Successful exploitation may lead to complete cluster compromise, data exfiltration, and denial of service.

Details of the CVEs:

CVE-2025-1974 (CVSS score: 9.8) – An unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller under certain conditions
CVE-2025-24514 (CVSS score: 8.8) – The auth-url Ingress annotation can be used to inject configuration into NGINX, resulting in arbitrary code execution in the context of the ingress-nginx controller and disclosure of secrets accessible to the controller
CVE-2025-1097 (CVSS score: 8.8) – The auth-tls-match-cn Ingress annotation can be used to inject configuration into NGINX, resulting in arbitrary code execution in the context of the ingress-nginx controller and disclosure of secrets accessible to the controller
CVE-2025-1098 (CVSS score: 8.8) – The mirror-target and mirror-host Ingress annotations can be used to inject arbitrary configuration into NGINX, resulting in arbitrary code execution in the context of the ingress-nginx controller and disclosure of secrets accessible to the controller
CVE-2025-24513 (CVSS score: 4.8) – An improper input validation vulnerability that could result in directory traversal within the container, leading to denial-of-service (DoS) or limited disclosure of secret objects from the cluster when combined with other vulnerabilities

How do these vulnerabilities affect Cloudera DataFlow on cloud?

For mitigating CVE-2025-1974 on Cloudera DataFlow on cloud, refer to the information below.

Mitigation of CVE-2025-24514, CVE-2025-1097, CVE-2025-1098, and CVE-2025-24513 is secondary to the previous CVE. They require no immediate action, as attackers can only exploit these with direct access to cluster hosts and privileges to create arbitrary ingress objects via the Kubernetes API.

For the latest updates on this issue, see the corresponding Knowledge articles:

Instructions

1. Check your current version

To determine which version your cluster is running, use either the UI or the CLI:

DataFlow Service version discovery from the UI:

In Cloudera DataFlow, from the Environments page, select the environment you want to inspect.
Click Manage DataFlow from the Environment Details pane.
Look for “DATAFLOW VERSION”.

DataFlow Service version discovery from the CLI:

Run the cdp df list-services command to display a list of the environments with their workload versions included.
Run cdp df describe-service --service-crn <DataFlow CRN> to display more detailed information about an environment and display the DataFlow version.

note
For instructions on how to install and use the Cloudera CLI, refer to the CLI documentation.

2. Mitigation steps for Cloudera DataFlow on Cloud

Upgrade the “ingress-nginx” controller component deployed by Cloudera DataFlow to version v1.11.5 for all environments running Cloudera DataFlow versions 2.9.0 and lower. To apply the patch to the environment:

Go to Cloudera DataFlow in the Cloudera Management Console.
Select the target environment for the patch from the “Environments” list.
Click “Manage Cloudera Data Flow service” in the upper right corner.
Click the “Actions” dropdown menu, and select “Download Kubeconfig”.
A KubeConfig yaml file will be downloaded to your local machine. (Named “kubeconfig.yaml” by default.)
Depending on your operating system, follow the instructions at https://kubernetes.io/docs/tasks/tools/#kubectl to install the “kubectl” binary to your local machine.

Create a text file called bump-controller-version.yaml, add the following text, and save the file.

# kubectl -n nginx-ingress patch helmreleases.helm.toolkit.fluxcd.io ingress-nginx --patch-file admission-webhook-off.yaml --type merge

spec:

  values:

    ingress-nginx:

      controller:

        image:

          tag: v1.11.5

Open a terminal or command prompt, and run (from the directory you saved the yaml files) the following command to test your access to the Kubernetes API server:

kubectl --kubeconfig kubeconfig.yaml get nodes

The command prints out information about the list of worker nodes.
Execute the following command to apply the patch:
kubectl --kubeconfig kubeconfig.yaml -n nginx-ingress patch helmreleases ingress-nginx --patch-file bump-controller-version.yaml --type merge
It prints out helmrelease.helm.toolkit.fluxcd.io/ingress-nginx patched on successful execution.
Execute the following command and verify that the printout in the command line ends with v1.11.5:
kubectl --kubeconfig kubeconfig.yaml -n nginx-ingress get deployment dfx-nifi-nginx-ingress-controller -o jsonpath='{.spec.template.spec.containers[?(@.name=="controller")].image}'
Execute to watch the progress of the upgrade as the ingress-nginx controller pod is restarted in the background:
kubectl --kubeconfig kubeconfig.yaml -n nginx-ingress get deployments dfx-nifi-nginx-ingress-controller -w
Wait until the columns show the following:
1. “READY” column showing “1/1”,
2. “UP-TO-DATE” column showing “1”,
3. “AVAILABLE” column showing “1”
Press “Ctrl-C” to return to the command line.

note
While executing the upgrade, for a short duration (usually a second or two)users may briefly lose connectivity to the workload side UI for deploying new flows or accessing the NiFi Web UI of existing flows, but there’s no interruption to data processing in any existing flows.
Verify that the new “ingress-nginx” controller is working properly by accessing the NiFi Web UI of any existing flow.
Repeat the process for each environment where the patch needs to be applied.