All vulnerability reports

Ingress-Nginx Admission Controller RCE Escalation

Severity:
Critical (Base score 9.8) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Overview

A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

See CWE-653: Improper Isolation or Compartmentalization

Description

Versions 1.2.0 and earlier of Vaadin Control Center deploy NGINX Ingress Controller version 1.12.0 by default (unless explicitly disabled using ingress-nginx.enabled=false). This version of NGINX is affected by a recently discovered vulnerability (CVE-2025-1974), which may allow an attacker to exploit the ingress controller under specific conditions.  

This issue has been addressed in NGINX Ingress Controller version 1.12.1 and Vaadin Control Center 1.2.1 has been released to include this updated and secure version of NGINX.  

Users are strongly advised to verify the currently deployed NGINX Ingress Controller version with the following command:

kubectl get deployment -A -l app.kubernetes.io/name=ingress-nginx -L app.kubernetes.io/version

If the version reported is earlier than 1.12.1 and NGINX Ingress was installed via Control Center, upgrading to Control Center 1.2.1 is recommended by using Helm:

helm upgrade control-center oci://docker.io/vaadin/control-center --namespace my-namespace --reuse-values

After upgrading, re-run the version verification command to ensure NGINX Ingress Controller is now 1.12.1 or later.

Affected products and mitigation

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

Product version Mitigation
Vaadin Control Center 1.2.0 and older Upgrade to 1.2.1

Artifacts

Vaadin Control Center is distributed via a Helm chart and does not have Maven artifacts. Helm chart path: oci://docker.io/vaadin/control-center

References

Original CVE: nvd.nist.gov/vuln/detail/CVE-2025-1974

Kubernetes issue: github.com/kubernetes/kubernetes/issues/131009

Kubernetes blog: kubernetes.io/blog/2025/03/24/ingress-nginx-cve-2025-1974/

History

  • 2023-03-23: Vulnerability reported
  • 2023-03-25: Vulnerability fixed
  • 2025-03-31: Initial vulnerability report published