Ingress NGINX Controller for Kubernetes - Vulnerabilities fixed in controller-v1.12.1

Created on 2025-03-25 10:40 and updated on 2025-03-25 10:40.

Description

Unfortunately, to fix CVE-2025-1974 it was necessary to disable the validation of the generated NGINX configuration during the validation of Ingress resources.

The resulting NGINX configuration is still checked before the actual loading, so that there are no failures of the underlying NGINX. However, invalid Ingress resources can lead to the NGINX configuration no longer being able to be updated.

To reduce such situations as far as possible, we therefore recommend enabling annotation validation and disabling snippet annotations. In case of doubt, such states can be determined from the logs of the Ingress NGINX Controller. Watch out for a line of dashes followed by "Error:" telling you what went wrong.

Vulnerabilities included in this bundle

CVE-2025-24513: ingress-nginx controller - auth secret file path traversal vulnerability
CVE-2025-24514: ingress-nginx controller - configuration injection via unsanitized auth-url annotation
CVE-2025-1097:
CVE-2025-1974:
CVE-2025-1098:

Author

Alexandre Dulaunoy

Combined sightings

Author	Vulnerability	Source	Type	Date