CVE-2025-1974
CVE Details
Visit the official vulnerability details page for CVE-2025-1974 to learn more.
Initial Publication
03/24/2025
Last Update
05/23/2025
Third Party Dependency
ingress-nginx
NIST CVE Summary
A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
CVE Severity
Our Official Summary
This critical CVE reported on nginx ingress controller affects both Paltte & Vertex deployments. Workload clusters using nginx-controller versions v1.11.0, v1.11.0 - 1.11.4, v1.12.0 are also vulnerable. Attackers with access to the pod network can use remote code execution to dump confidential information such as secrets in the affected clusters. Ingress controller version should be updated to 1.11.5 or 1.12.1 to fix the vulnerabilities. Palette, VerteX Saas deployments and the managed dedicated Palette deployments are patched. For a more detailed desciption, timeline and remediation steps: https://docs.spectrocloud.com/security-bulletins/security-advisories.
Status
Ongoing
Affected Products & Versions
| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |
|---|---|---|---|---|
| 4.6.12 | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
| 4.5.22 | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
| 4.4.20 | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
Revision History
| Date | Revision |
|---|---|
| 05/23/2025 | Advisory severity revised to UNKNOWN from CRITICAL |
| 05/21/2025 | Advisory severity revised to UNKNOWN from CRITICAL |