The vulnerability affects the ingress-nginx component. If you do not have it installed on your cluster, then you are not affected.

If you are using RKE1, you can check if you have ingress-nginx running with:

kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx

If you are using RKE2, then the command will look similar, but the name will change from ingress-nginx to rke2-ingress-nginx:

kubectl get pods --all-namespaces --selector app.kubernetes.io/name=rke2-ingress-nginx

The affected versions of ingress-nginx are:

• All versions prior to v1.11.4 (included)

• v1.12.0

Harvester Users:

If you are using Harvester, please refer to this KB article here for additional information:

• https://harvesterhci.io/kb/2025/03/25/cve-2025-1974/

Context

The upstream Kubernetes project announced, on March 24th of 2025, five different security vulnerabilities CVEs in the ingress-nginx component. 

In this KB article, we will address these five CVE’s with mitigation steps and provide information for released Kubernetes versions, containing the latest ingress-nginx version for RKE1 and RKE2. 

See the additional information section at the end of this document for all the relevant links for the vulnerabilities. Kubernetes also released a blog post to provide context about the issues in question. 

Common resolution

RKE2 users can upgrade to one of the following Kubernetes versions:

• v1.32.3+rke2r1 https://github.com/rancher/rke2/releases/tag/v1.32.3%2Brke2r1

• v1.31.7+rke2r1 https://github.com/rancher/rke2/releases/tag/v1.31.7%2Brke2r1

• v1.30.11+rke2r1 https://github.com/rancher/rke2/releases/tag/v1.30.11%2Brke2r1

• v1.29.15+rke2r1 https://github.com/rancher/rke2/releases/tag/v1.29.15%2Brke2r1

For RKE1 CLI users, please find the following versions to include the ingress-nginx patches:

• 1.6.9: https://github.com/rancher/rke/releases/tag/v1.6.9

• 1.7.5: https://github.com/rancher/rke/releases/tag/v1.7.5

• 1.8.1: https://github.com/rancher/rke/releases/tag/v1.8.1

If you are not using the RKE1 CLI tool (binary), please ensure that you are upgrading to one of these Kubernetes versions to include the latest ingress-nginx version:

• v1.32.3-rancher1-1 or higher

• V1.31.7-rancher1-1

• v1.30.11-rancher1-1

• v1.29.15-rancher1-1

Important Note: K3s, in its default configuration, is not affected by these vulnerabilities as it does not utilize ingress-nginx.

If you are unable to upgrade now, SUSE strongly advises disabling the ingress-nginx admission webhooks to significantly mitigate the risk associated with CVE-2025-1974, CVE-2025-24513. Disabling these webhooks is a critical, albeit temporary, security measure.

Workaround for CVE-2025-1974, CVE-2025-24513

Immediate Action Required: Disable Admission Webhooks

RKE2 Mitigation Steps:

If you are using RKE2 and the built-in chart, a HelmChartConfig can be used to disable the controller admission webhook like this example:

apiVersion: helm.cattle.io/v1

kind: HelmChartConfig

metadata:

  name: rke2-ingress-nginx

  namespace: kube-system

spec:

  valuesContent: |

    controller:

      admissionWebhooks:

        enabled: false

The HelmChartConfig can be added for clusters provisioned by Rancher when editing the cluster in Cluster Management. This may be an option called "Additional Manifests" in the left-hand list, or nested under "Add-On Config" depending on the Rancher version.

For standalone RKE2 clusters, the HelmChartConfig file can be populated on each rke2-server node in the /var/lib/rancher/rke2/server/manifests directory.

RKE1 Mitigation Steps:

If you are using RKE1 and wish to disable the admission webhook, then you can perform the following:

• Delete the ValidatingWebhookConfiguration called ingress-nginx-admission
  
  

• Edit the ingress-nginx-controller DaemonSet, and remove the --validating-webhook argument from the controller container
  
  

• To further reduce the risk and mitigate CVE-2025-24514, add the --enable-annotation-validation=true argument to the ingress-nginx-controller DaemonSet
  
  

Optional:

To remove the service associated with the admission webhook, delete the service called ingress-nginx-controller-admission

Please note that the above changes with RKE1 will be overridden next time the cluster is reconciled or upgraded.

Mitigation for Directly Installed ingress-nginx:

If you use the upstream ingress-nginx component (not installed by RKE1 or RKE2), then update it to v1.11.5, v1.12.1, or any later version.

To upgrade, follow the instructions available at https://kubernetes.github.io/ingress-nginx/deploy/upgrade/ and the specific release notes for v1.12.1 and v1.11.5. Pay attention to the specific post-fix needed for CVE-2025-1974.

If you can't upgrade right away, the following steps can be followed to disable the admission webhook:

• If you have installed ingress-nginx using Helm

  • Reinstall, setting the Helm value controller.admissionWebhooks.enabled=false

• If you have installed ingress-nginx manually, apply the equivalent changes to your deployment method, or manually apply the following:

  •  Delete the ValidatingWebhookConfiguration called ingress-nginx-admission

  •  Edit the ingress-nginx-controller Deployment or Daemonset, removing --validating-webhook from the controller container’s argument list

Workaround for CVE-2025-24514

Mitigation steps for RKE1/RKE2

Please check if the enable-annotation-validation argument is true by default.

For RKE1

kubectl -n ingress-nginx exec nginx-ingress-controller-xxxxx -- /nginx-ingress-controller --help 2>&1 | grep enable-annotation-validation

For RKE2

kubectl -n kube-system exec rke2-ingress-nginx-controller-xxxxx -- /nginx-ingress-controller --help 2>&1 | grep enable-annotation-validation

If the argument is set to true by default, no further change is needed.

--enable-annotation-validation 

If true, will enable the annotation validation feature. Defaults to true (default true)

If this is true, this issue does not affect you. If it is not true, you can mitigate this issue by setting the enable-annotation-validation argument to true with the below steps:

For RKE1:

kubectl -n ingress-nginx edit daemonset nginx-ingress-controller

Add the argument as below:

spec:

  template:

    spec:

      containers:

      - args:

        - /nginx-ingress-controller

...

        - --enable-annotation-validation=true # <-- Add this line

For RKE2:

Add a HelmChartConfig to change the argument.

The HelmChartConfig can be added for clusters provisioned by Rancher when editing the cluster in Cluster Management. This may be an option called "Additional Manifests" in the left-hand list, or nested under "Add-On Config" depending on the Rancher version.

For standalone RKE2 clusters, the HelmChartConfig file can be populated on each rke2-server node in the /var/lib/rancher/rke2/server/manifests directory

apiVersion: helm.cattle.io/v1

kind: HelmChartConfig

metadata:

  name: rke2-ingress-nginx

  namespace: kube-system

spec:

  valuesContent: |-

    controller:

      enableAnnotationValidations: true

Workaround for CVE-2025-1097, CVE-2025-1098

There is no workaround mentioned for these CVEs. Please simply upgrade your RKE1/RKE2 version.

Under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)

Source: CVE-MITRE.org

Kubernetes upstream issues for the CVEs:

CVE-2025-24513: https://github.com/kubernetes/kubernetes/issues/131005

CVE-2025-24514: https://github.com/kubernetes/kubernetes/issues/131006

CVE-2025-1097: https://github.com/kubernetes/kubernetes/issues/131007

CVE-2025-1098: https://github.com/kubernetes/kubernetes/issues/131008

CVE-2025-1974: https://github.com/kubernetes/kubernetes/issues/131009