Ingress Controllers play a critical role within Kubernetes clusters by enabling the functionality of Ingress resources. Azure Kubernetes Service (AKS) is aware of several security vulnerabilities affecting the Kubernetes ingress-nginx controller, including CVE-2025-1098, CVE-2025-1974, CVE-2025-1097, CVE-2025-24514, and CVE-2025-24513. Customers running this controller on their AKS clusters are advised to update to the latest patched versions (v1.11.5 and v1.12.1) to mitigate potential risks.
Why are we publishing this Kubernetes CVE in the Security Update Guide? We are republishing these CVEs because on March 24, 2025, the Kubernetes SRC (Security Response Committee) published 5 CVEs that disclose vulnerabilities in the Kubernetes NGINX Ingress Controller. Some of these vulnerabilities might affect you if you have this component running in your Kubernetes cluster. How do I know if I am affected by these vulnerabilities? If you are running your own Kubernetes NGINX Ingress Controller, please review the CVEs and mitigate by updating to the latest patch versions (v1.11.5 and v1.12.1). If you are using the Managed NGINX ingress with the application routing add-on on AKS, the patches are being rolled out to all regions and should be completed in a few days. No customer action is required. The status of the AKS deployment can be monitored here: AKS Release Status. Where can I find more information about these vulnerabilities? CVE ID Link to Github Issue CVE-2025-1098 Github 131008 CVE-2025-1974 Github 131009 CVE-2025-1097 Github 131007 CVE-2025-24514 Github 131006 CVE-2025-24513 Github 131005
Maturity: Exploit