Ingress NGINX Vulnerability

As you might have read online, Wiz Research discovered CVE-2025-1097, CVE-2025-1098, CVE-2025-24514 and CVE-2025-1974, a series of unauthenticated Remote Code Execution vulnerabilities in Ingress NGINX Controller for Kubernetes dubbed #IngressNightmare.

How does this impact you?

You may be impacted if you're using an older version of Garden (see below what versions are impacted) to install an NGINX Ingress Controller. Garden installs the NGINX Ingress Controller if you set setupIngressController: nginx in your kubernetes provider (see: https://docs.garden.io/reference/providers/kubernetes#providers-.setupingresscontroller). That is, if your project looks like this:

kind: Project
# ...
providers:
  - name: kubernetes
    setupIngressController: "nginx" # <--- Means Garden will install NGINX Ingress Controller

Which Garden versions are impacted?

Garden Bonsai up until 0.13.56 included and Garden Cedar 0.14.0 are affected.

How to fix it?

  1. Upgrade to the latest Garden version using the following commands:

# Garden Bonsai:
garden self-update 0.13.57

# Garden Cedar:
garden self-update 0.14.1
  1. Uninstall the current installed ingress controller (Garden doesn’t automatically update that, see: https://docs.garden.io/guides/install-local-kubernetes#updating-or-removing-the-garden-installed-nginx-ingress-controller):

garden plugins kubernetes uninstall-garden-services
  1. Run any of your usual Garden commands, for example garden deploy or garden test, which will trigger an automatic redeploy of the ingress controller. The patched version which will be installed is 1.12.1.

As always, we are here to support. Good luck and stay safe out there!

Relevant links:

  • Wiz Research report: https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities

  • Kubernetes’s blog: https://kubernetes.io/blog/2025/03/24/ingress-nginx-cve-2025-1974/

  • Garden Cedar 0.14.1 release notes: https://github.com/garden-io/garden/releases/tag/0.14.1

  • Garden Bonsai 0.13.57 release notes: https://github.com/garden-io/garden/releases/tag/0.13.57

Last updated

Was this helpful?