IngressNightmare Vulnerabilities: All You Need to Know

On March 24, 2025 a set of critical vulnerabilities dubbed "IngressNightmare" (including CVE-2025-1974, CVE-2025-24514, CVE-2025-1097, CVE-2025-1098 and CVE-2025-24513) was disclosed in the ingress-nginx Controller for Kubernetes; the most severe (CVE-2025-1974, CVSS 9.8) enables unauthenticated RCE via malicious Ingress objects and can lead to full cluster takeover and exposure of secrets. Researchers found over 6,500 publicly reachable vulnerable clusters (including Fortune 500 targets) and an exploit was published; the advisory provides detection commands, platform-specific notes, and recommended mitigations (upgrade to patched versions 1.12.1 or 1.11.5, restrict admission webhook network access, or temporarily disable admission webhooks) plus scanning guidance using Aqua/Trivy.