CVE-2025-1974 Affecting ingress-nginx-controller-fips-1.10 package, versions <1.10.6-r7
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CHAINGUARDLATEST-INGRESSNGINXCONTROLLERFIPS110-9519354
- published26 Mar 2025
- disclosed25 Mar 2025
Introduced: 25 Mar 2025
NewCVE-2025-1974 (opens in a new tab)How to fix?
Upgrade Chainguard ingress-nginx-controller-fips-1.10 to version 1.10.6-r7 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream ingress-nginx-controller-fips-1.10 package and not the ingress-nginx-controller-fips-1.10 package as distributed by Chainguard.
See How to fix? for Chainguard relevant fixed versions and status.
A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)