Start Free TrialRequest Demo
Products
Traefik ProxyTraefik Hub API GatewayTraefik Hub API ManagementAI GatewayAPI Mocking
Solutions
AI Gateway

New!

Modern API GatewayAPI Mocking

New!

GitOps-Driven API ManagementWeb Application Firewall

New!

Runtime API Governance

New!

Kubernetes IngressDocker Swarm IngressReplace Ingress-NGINX

New!

Traefik & HashiCorpTraefik & Nutanix

New!

Traefik & Oracle

New!

Learn
BlogResource LibraryTraefik AcademySuccess StoriesGlossaryEventsDocsPlugin CatalogForumCommunity
Compare
vs Kong Konnectvs AWS API Gatewayvs Azure APIMvs NGINXvs Solo.io Gloo Gatewayvs Tykvs Graviteevs Envoy Gatewayvs Ambassador Edge Stackvs API7 Enterprisevs Akanavs Zuplo
Pricing
Docs
Blog
April 10, 2025

Traefik vs. #IngressNightmare: Security By Design in the Age of Critical Vulnerabilities

Sudeep GoswamiEmile Vauge
Sudeep Goswami, Emile Vauge
Ingress
News

The Wake-Up Call Our Industry Needed

When our security team first alerted us about the critical vulnerabilities disclosed in ingress-nginx on March 24th, 2025, we immediately understood the gravity of the situation. CVE-2025-1974, with its devastating 9.8 CVSS rating, represents one of the most significant Kubernetes security events in recent years.

The implications are sobering: any entity within the pod network could potentially seize control of your entire Kubernetes cluster—without credentials or administrative privileges. Let that sink in for a moment.

While the ingress-nginx team deserves credit for rapidly releasing patches (v1.11.5 and v1.12.1), the discovery of more than 6,500 vulnerable clusters in production environments remains deeply concerning. This isn't just another vulnerability—it's a fundamental architectural flaw that demands our industry's immediate attention.

Proxy_Ad_02@2x

Understanding #IngressNightmare: Beyond the Headlines

To truly appreciate the severity of these vulnerabilities, we need to examine the technical mechanics at play. The core issue stems from how ingress-nginx processes ingress objects through its admission controller.

When validating an ingress object, the controller constructs an NGINX configuration and validates it using the nginx -t command. The Wiz Research team brilliantly uncovered multiple configuration injection vulnerabilities (CVE-2025-24514, CVE-2025-1097, CVE-2025-1098) that allow attackers to inject arbitrary NGINX configuration directives by sending malicious ingress objects to the admission controller.

While these injection points alone don't immediately grant code execution, the researchers discovered that the ssl_engine directive could be exploited to load shared libraries at any point in the configuration. By combining this with a method to upload a shared library to the pod's filesystem, attackers can achieve remote code execution within the ingress-nginx controller's pod.

Most critically, because admission controllers typically run with elevated privileges and unrestricted network access, successful exploitation allows attackers to execute arbitrary code and access all cluster secrets across namespaces—potentially leading to complete cluster compromise.

Why Traefik Remains Secure: Architectural Decisions Matter

As the founder and developer of Traefik, Emile Vauge made fundamental architectural decisions a decade ago that have proven critical for security. These weren't accidental choices—–they were deliberate design principles that we've maintained throughout Traefik's evolution:

  1. No Raw Configuration Templating: Unlike templated proxies, Traefik parses configuration inputs (Ingress, IngressRoute, Middlewares, Custom Resources, or Gateway API resources) into strongly typed Go structs. Without template mechanisms, there's simply no string injection path for attackers to exploit.
  2. Minimal Network Surface Area: Traefik doesn't implement an admission controller or any component with unrestricted network accessibility. It simply reads ingress resources and applies them if correct—if they can't be parsed correctly, they're ignored with minimal error logging. No configuration is ever executed or interpreted.
  3. No Dynamic Library Loading: Traefik is written in Go, producing statically linked executables by default. We deliberately compile without CGO options, making it impossible to execute code not already part of the binary. Unlike NGINX's ssl_engine directive, there's no mechanism to load external shared libraries.

These architectural principles weren't arbitrary—they were security-first decisions that have stood the test of time.

The Industry's Crossroads: Why Wait Years for a Solution?

It's telling that the ingress-nginx team recently announced plans to pivot toward developing InGate—a new Ingress/Gateway API controller written in Go. They've wisely stated that no new features will be added to ingress-nginx during this transition, with the ultimate goal of deprecating it entirely once InGate reaches GA status.

While this represents a thoughtful long-term strategy, the stark reality is that reaching stability with a comparable feature set will likely take years. With only 18 commits to InGate at the time of writing, the journey has barely begun.

The Path Forward: Security Cannot Wait

For organizations running Kubernetes in production today, the message is clear: you shouldn't wait years to address a critical security vulnerability that exists now.

The immediate priority is upgrading existing ingress-nginx deployments to patched versions (v1.11.5 or v1.12.1). However, this is merely a tactical response to a strategic problem.

The more prudent approach is migrating to an ingress controller that's secure by design. At Traefik Labs, we've spent a decade building and refining Traefik Proxy with security as a foundational principle—not an afterthought. Our architectural decisions made ten years ago—choosing a statically linked toolchain, a strongly typed language, and eliminating templating—have proven prescient in light of today's threats.

Conclusion: Design Principles Matter

As leaders in the cloud-native ecosystem, we believe #IngressNightmare offers a valuable lesson for our industry. Security cannot be bolted on—it must be built in from the ground up. The choices we make about programming languages, compilation methods, and configuration approaches have profound security implications that may not become apparent for years.

We're encouraged to see the ingress-nginx team recognizing these principles in their plans for InGate. By embracing Go, static linking, and strong typing, they're acknowledging the same architectural foundations that have kept Traefik secure for the past decade.

For organizations that can't afford to wait for InGate to mature, Traefik Proxy offers a battle-tested, secure-by-design alternative available today. Your security shouldn't be compromised while waiting for tomorrow's solutions.

Proxy_Ad_02@2x

Sudeep Goswami is the CEO of Traefik Labs, leading the company's global strategy and operations.

Emile Vauge is the Founder and CTO of Traefik Labs. He created Traefik, the popular open-source cloud-native application proxy, which has been downloaded over 3 billion times.

About the Author

Sudeep Goswami

Sudeep Goswami

With a 27-year career spanning multiple engineering, product, and executive disciplines, Sudeep is now leading the shift towards cloud-native, GitOps-driven API management as CEO of Traefik Labs.

Latest from Traefik Labs

Traefik Labs’ API Management Solution Now Available on Oracle Cloud Marketplace
Blog

Traefik Labs’ API Management Solution Now Available on Oracle Cloud Marketplace

Read more
AI Gateways: The Missing Piece in Scalable & Responsible AI Inferencing
Blog

AI Gateways: The Missing Piece in Scalable & Responsible AI Inferencing

Read more
Fortify Your API Security: 7 Critical Protection Strategies Made Easy
Webinar

Fortify Your API Security: 7 Critical Protection Strategies Made Easy

Watch now

Traefik Labs uses cookies to improve your experience. By continuing to browse the site you are agreeing to our use of cookies. Find out more in the Cookie Policy.