Metaplay Docs

Appearance

MET-2025-001

ingress-nginx (CVE-2025-1974)

Bulletin IDMET-2025-001
Date (published)2025-03-25T00:00:00.000Z
Date (last updated)2025-03-25T00:00:00.000Z
SeverityCritical

Description

On March 24th, 2025, ingress-nginx maintainers published published details around multiple vulnerabilities in ingress-nginx. The vulnerabilities could allow an attacker to bypass security controls and execute arbitrary code on the underlying host.

Affected Products/Services

Metaplay infrastructure and products are affected by these vulnerabilities:

  • Metaplay managed platforms (p1.metaplay.io) has been patched against these vulnerabilities.
  • Metaplay infra-modules Terraform modules versions v0.7.2 and v0.4.7 have been published, which address these vulnerabilities.
    • < v0.4.7, v0.5.x, v0.6.x, v0.7.0 and v0.7.1 are affected.

Impact

The biggest impact of these vulnerabilities is around potentially allowing in-Kubernetes payloads to access ingress-nginx endpoints to escalated privileges and expose secrets that they should not otherwise have access to. The issue is slightly less severe in single-tenant, self-hosted infrastructure stacks, but continues to be critical and should be patched as soon as possible.

Solution and mitigation

If you are running your own infrastructure stack using Metaplay's Terraform modules, we strongly urge you to update to either v0.7.2 or v0.4.7, depending on which is more convenient to you.

If you are unable to update your infrastructure at this moment, the immediate issues can be mitigated with the following configuration to override default Helm values for ingress-nginx. You should apply this to your environments/aws-region Terraform module configuration:

hcl
module "infra" {
  source = "git@github.com:metaplay-shared/infra-modules.git//environments/aws-region?ref=v0.4.0"

  # ... snip...

  # This pass-through variable was introduced in v0.3.1.
  services_helm_chart_overrides = {
    # As per https://kubernetes.io/blog/2025/03/24/ingress-nginx-cve-2025-1974/#your-next-steps
    ingress-nginx = {
      controller = {
        admissionWebhooks = {
          enabled = false
        }
      }
    }
  }
}

CVE and CVSS Information

References

Contact Information

Security-related questions or concerns can be sent to security@metaplay.io.

Revision History

DateDescription
2025-03-25Security Bulletin released