CVE-2025-1974: ingress-nginx admission controller RCE escalation. is app routing add on affected?

[demeesterdev]

CVSS Rating: ((CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)[https://www.first.org/cvss/calculator/3-1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (Score: 9.8, Critical)

For more information see: kubernetes/kubernetes#131009

Affects ngnix-ingress up until 1.11.4
At time of writing all observed clusters on aks are running 1.11.2

Fixed at 1.11.5

Is the app routing add on affected?

Edit:
AKS (Managed NGINX ingress) is not affected by CVE-2025-1974
Ref: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-1974

[magguns]

For AKS clusters running App Routing Addon, isn't this based on the non-vulnerable F5 one? nginx-ingress-controller as apposed to ingress-nginx-controller
Image appears to be http://mcr.microsoft.com/oss/kubernetes/ingress/nginx-ingress-controller:v1.11.2.

[demeesterdev]

Thank you for making me aware of the difference, if so my response would be: 🤦‍♂️sorry for the momentary jump in stress levels for whomever reads this issue.

If the app routing add on is indeed based on the F5 ingress controller and the F5 version isn't affected.
Then the setup of AKS isn't affected either.

But I don't have the answers to those questions (yet).

Edit: updated issue title and description to reflect my lack of insight.

[magguns]

To make matters more confusing, the versioning seems to follow the vulnerable ingress-nginx project, but the naming convention follows the non-vulnerable F5 one: https://docs.nginx.com/nginx-ingress-controller/releases/

[demeesterdev]

via via found the information I was looking for.

AKS is not affected for this CVE, AKS is affected by other CVEs released on march 24th:
updates will be rolled out in the next couple of days to fix the other vurnerabilities.

For refernce:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-1974

[ritazh]

Several security vulnerabilities affecting the Kubernetes nginx ingress controller were disclosed on March 24, 2025: CVE-2025-1098 (High), CVE-2025-1974 (Critical), CVE-2025-1097 (High), CVE-2025-24514 (High), and CVE-2025-24513 (Medium).

If you are running your own Kubernetes nginx Ingress Controller, please review the CVEs and mitigate by updating to the latest patch versions (v1.11.5 and v1.12.1).

If you are using the Managed NGINX ingress with the application routing add-on on AKS, the patches are getting rolled out to all regions and should be completed in a few days. No action is required.

The status of the AKS deployment can be monitored here: AKS Release Status.