What is the CVSS score of CVE-2025-1974?

CVE-2025-1974 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 90.3%.

Which versions of Kubernetes are affected by CVE-2025-1974?

Organizations using A security face critical risk from CVE-2025-1974 rated CVSS 9.8.. A patch is available.

Is there a public PoC exploit available for CVE-2025-1974?

Yes, a public proof-of-concept exploit is available for CVE-2025-1974. Prioritise patching immediately. EPSS: 90.3%.

How to fix or mitigate CVE-2025-1974?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Monitor vendor channels for patch availability.

Kubernetes CVE-2025-1974

CRITICAL

Improper Isolation or Compartmentalization (CWE-653)

2025-03-25 jordan@liggitt.net

RCE Kubernetes Nginx Red Hat Suse

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 28, 2026 - 18:33 vuln.today

PoC Detected

Feb 04, 2026 - 20:16 vuln.today

Public exploit code

CVE Published

Mar 25, 2025 - 00:15 nvd

CRITICAL 9.8

DescriptionNVD

A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

AnalysisAI

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access to achieve arbitrary code execution in the controller context. Dubbed 'IngressNightmare', this flaw exposes cluster Secrets including TLS certificates and service account tokens accessible to the ingress controller.

Technical ContextAI

The ingress-nginx controller's admission webhook validates Ingress resources but can be exploited to inject arbitrary NGINX configuration directives. By sending crafted AdmissionReview requests to the webhook endpoint, an attacker with pod network access can inject configuration that causes the controller to execute arbitrary code. The controller typically has read access to all cluster Secrets for TLS termination.

Affected ProductsAI

ingress-nginx controller (default Kubernetes installation) Kubernetes clusters using ingress-nginx for ingress management

RemediationAI

Update ingress-nginx controller to the patched version. Restrict network access to the admission webhook endpoint using NetworkPolicies. Minimize the controller's RBAC permissions. Consider migrating to alternative ingress controllers with smaller privilege footprints.