x/vulndb: potential Go vuln in k8s.io/ingress-nginx: GHSA-mgvx-rpfc-9mpv

[GoVulnBot]

Advisory GHSA-mgvx-rpfc-9mpv references a vulnerability in the following Go modules:

Module
k8s.io/ingress-nginx

Description:
A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

References:

• ADVISORY: GHSA-mgvx-rpfc-9mpv
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-1974
• REPORT: CVE-2025-1974: ingress-nginx admission controller RCE escalation kubernetes/kubernetes#131009
• WEB: https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.11.5
• WEB: https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.12.1
• WEB: https://groups.google.com/g/kubernetes-security-announce/c/2qa9DFtN0cQ

Cross references:

• k8s.io/ingress-nginx appears in 7 other report(s):
  • data/excluded/GO-2022-0613.yaml (x/vulndb: potential Go vuln in k8s.io/ingress-nginx: GHSA-pvmg-xgmx-9mxh #613) NOT_IMPORTABLE
  • data/excluded/GO-2023-1789.yaml (x/vulndb: potential Go vuln in k8s.io/ingress-nginx: GHSA-863x-868h-968x #1789) NOT_IMPORTABLE
  • data/excluded/GO-2023-1916.yaml (x/vulndb: potential Go vuln in k8s.io/ingress-nginx: GHSA-hhpm-74pm-hf35 #1916) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1953.yaml (x/vulndb: potential Go vuln in k8s.io/ingress-nginx: GHSA-p3x5-5xpx-9phm #1953) NOT_IMPORTABLE
  • data/excluded/GO-2023-2174.yaml (x/vulndb: potential Go vuln in k8s.io/ingress-nginx: GHSA-5wj4-wffq-3378 #2174) NOT_IMPORTABLE
  • data/excluded/GO-2023-2175.yaml (x/vulndb: potential Go vuln in k8s.io/ingress-nginx: GHSA-gvrm-w2f9-f77q #2175) NOT_IMPORTABLE
  • data/reports/GO-2024-2428.yaml (x/vulndb: potential Go vuln in k8s.io/ingress-nginx: GHSA-fp9f-44c2-cw27 #2428)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: k8s.io/ingress-nginx
      non_go_versions:
        - fixed: 1.11.5
        - introduced: 1.12.0-beta.0
        - fixed: 1.12.1
      vulnerable_at: 0.0.0-20250325144035-1d7abc12ef72
summary: ingress-nginx admission controller RCE escalation in k8s.io/ingress-nginx
cves:
    - CVE-2025-1974
ghsas:
    - GHSA-mgvx-rpfc-9mpv
references:
    - advisory: https://github.com/advisories/GHSA-mgvx-rpfc-9mpv
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-1974
    - report: https://github.com/kubernetes/kubernetes/issues/131009
    - web: https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.11.5
    - web: https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.12.1
    - web: https://groups.google.com/g/kubernetes-security-announce/c/2qa9DFtN0cQ
source:
    id: GHSA-mgvx-rpfc-9mpv
    created: 2025-03-25T16:01:36.101580943Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/660559 mentions this issue: data/reports: add 28 reports