Issues with Kubernetes ingress-nginx controller (Multiple CVEs)

Scope: AWS
Content Type: Important (requires attention)
Publication Date: 2025/03/24 09:00AM PDT

Description

Ingress Controllers are applications within a Kubernetes cluster that enable Ingress resources to function.

AWS is aware of CVE-2025-1098, CVE-2025-1974, CVE-2025-1097, CVE-2025-24514, and CVE-2025-24513, which affect the Kubernetes ingress-nginx controller . Amazon Elastic Kubernetes Service (Amazon EKS) does not provide or install the ingress-nginx controller and is not affected by these issues. Customers who have installed this controller on their clusters should update to the latest version .

We have proactively notified customers who were identified as having this controller installed.

References:

• CVE-2025-1098 - GitHub Issue
• CVE-2025-1974 - GitHub Issue
• CVE-2025-1097 - GitHub Issue
• CVE-2025-24514 - GitHub Issue
• CVE-2025-24513 - GitHub Issue

Please email aws-security@amazon.com with any security questions or concerns.