Updating Ingress Nginx to protect against CVE 2025-1975

Updating Ingress Nginx to protect against CVE 2025-1975

Critical Vulnerability in Ingress Nginx

I learned about CVE-2025-1974 on X on Tuesday 25 March 2025. This is a critical vulnerability that allows an unauthenticated attacker to take over an entire cluster through arbitrary code execution in the context of the ingress-nginx controller. The vulnerability allows the attacker to access all Secrets stored in the cluster.

The fix

Ingress nginx is installed via manifest in my clusters, so to update it, I downloaded the latest manifest from the official repo:

curl -LO https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.1/deploy/static/provider/cloud/deploy.yaml

I went through the manifest, comparing it to the one I have, and did a find and replace on all fields that had changed; mostly image tags and a few extra container arguments.

I pushed the changes up to Git but FluxCD couldn’t reconcile (apply the changes) because the upgrade tried to change a job responsible for setting up admission webhook certificates. Kubernetes doesn’t allow job spec changes, causing the deployments to fail.

I resolved this problem by deleting the existing job manually:

kubectl delete job -n ingress-nginx ingress-nginx-admission-create

and after that, FluxCD was able to complete the update.

Conclusion

Updating ingress-nginx was simple; I updated the manifest I had with the latest changes and pushed them to git. Setting up GitOps for my clusters from the start was a good decision.