CVE-2025-1974: ELB + Ingress-Nginx Exposure Analysis Key Point: Having ingress-nginx behind an AWS ELB does not automatically expose you to CVE-2025-1974.
Are you safe?
- The vulnerability requires access to the Validating Admission Controller
- Regular HTTP requests through your ELB cannot trigger the exploit
External users hitting your application (e.g., fancyapp.com) cannot exploit this vulnerability
Real Attack Requirements:
- Access to the Kubernetes API
- Ability to create/modify Ingress resources
- Network access similar to pod-level connectivity
- Ability to interact with the admission webhook
Security Focus
- Monitor internal pod network access
- Maintain strict Kubernetes API access controls
- Keep standard network segmentation practices
ELB's Role
- The ELB simply routes external traffic to your ingress-nginx controller. This regular traffic flow cannot trigger the vulnerability - exploitation requires direct interaction with the admission webhook through Kubernetes API.
Created on 3/26/2025