Ingress NGINX Vulnerability
As you might have read online, Wiz Research discovered CVE-2025-1097, CVE-2025-1098, CVE-2025-24514 and CVE-2025-1974, a series of unauthenticated Remote Code Execution vulnerabilities in Ingress NGINX Controller for Kubernetes dubbed #IngressNightmare.
How does this impact you?
You may be impacted if you're using an older version of Garden (see below what versions are impacted) to install an NGINX Ingress Controller. Garden installs the NGINX Ingress Controller if you set setupIngressController: nginx in your kubernetes provider (see: https://docs.garden.io/reference/providers/kubernetes#providers-.setupingresscontroller). That is, if your project looks like this:
Which Garden versions are impacted?
Garden Bonsai up until 0.13.56 included and Garden Cedar 0.14.0 are affected.
How to fix it?
Upgrade to the latest Garden version using the following commands:
Uninstall the current installed ingress controller (Garden doesn’t automatically update that, see: https://docs.garden.io/guides/install-local-kubernetes#updating-or-removing-the-garden-installed-nginx-ingress-controller):
Run any of your usual Garden commands, for example
garden deployorgarden test, which will trigger an automatic redeploy of the ingress controller. The patched version which will be installed is1.12.1.
As always, we are here to support. Good luck and stay safe out there!
Relevant links:
Wiz Research report: https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities
Kubernetes’s blog: https://kubernetes.io/blog/2025/03/24/ingress-nginx-cve-2025-1974/
Garden Cedar 0.14.1 release notes: https://github.com/garden-io/garden/releases/tag/0.14.1
Garden Bonsai 0.13.57 release notes: https://github.com/garden-io/garden/releases/tag/0.13.57
Last updated
Was this helpful?