Some versions of ingress-nginx are affected by a security vulnerability. Your SAS Viya platform deployment might be exposed to this vulnerability.
Table of Contents
Associated CVEs
This security issue has the following associated CVEs:
- CVE-2025-1974 (Critical)
- CVE-2025-1098 (High)
- CVE-2025-1097 (High)
- CVE-2025-24514 (High)
- CVE-2025-24513 (Medium)
See this Kubernetes announcement related to these vulnerabilities: Ingress-nginx CVE-2025-1974: What You Need to Know. Fixes for all five of these vulnerabilities have been released by the team that maintains ingress-nginx and are available here: https://github.com/kubernetes/ingress-nginx/releases.
Is my SAS Viya platform deployment affected by these CVEs?
You are not affected if your cluster is on Red Hat OpenShift. You are affected if your cluster is running on any other Kubernetes provider that is supported for a SAS Viya platform deployment.
To assess your ingress-nginx exposure, run the following command:
kubectl get pods --all-namespaces -l app.kubernetes.io/name=ingress-nginx
Here is an example response:
NAMESPACE NAME
ingress-nginx ingress-nginx-controller-****
If your SAS Viya deployment contains no pods labeled app.kubernetes.io/name=ingress-nginx, then you are not affected.
If your SAS Viya deployment contains pods with this label, check the version by running the following command:
kubectl get pods -A -l app.kubernetes.io/name=ingress-nginx -o jsonpath="{.items[*].spec.containers[?(@.name=='controller')].image}"
The response shows the version number after controller (shown in bold in the following example output):
registry.k8s.io/ingress-nginx/controller:v1.12.1@sha256****
Remediation: Upgrade Versions
In order to avoid risks associated with this ingress-nginx CVE, SAS recommends that you upgrade to a patched version of ingress-nginx that is supported by the Kubernetes version on which your cluster is running.
The following table lists affected versions and the corresponding recommended upgrade paths for a SAS Viya platform deployment:
| Affected Ingress Version | Upgrade to Version |
| v1.11.0 and earlier (v1.10, v1.9, and so on) | v1.11.5 |
| v1.11.0 - 1.11.4 | v1.11.5 |
| v1.12.0 | v1.12.1 |
Version-Specific Notes
For ingress-nginx 1.11.x releases and earlier, SAS recommends that you upgrade only within the minor release that you currently have installed instead of upgrading to the next release. For example, upgrade from 1.11.0 to 1.11.5 rather than from 1.11 to 1.12.1.
If you want to upgrade to 1.12.1 from any earlier minor version of ingress-nginx, you must perform additional setup as described in Required Ingress Controller Configuration.
Note: Ensure that you are viewing the version of the documentation that corresponds to your SAS Viya platform release by checking the version shown in the SAS Help Center:
Hardening Options
The team that maintains ingress-nginx makes the following suggestions for hardening your cluster:
- Enabling annotation validation (--enable-annotation-validation)
This validation is enabled by default in ingress-nginx 1.12.x, but it is not enabled by default in 1.11.5. The SAS Viya platform will continue to operate as usual with this option enabled. - Disabling snippet annotations to avoid possible conflict between snippet content and the fixes required to remediate the CVEs
- SAS Viya does not function correctly with snippet annotations disabled. Refer to ingress-nginx Vulnerability Mitigation for details about the requirement for snippet annotations.
- SAS has validated that its use of the snippet annotation does not conflict with the changes made in ingress-nginx 1.11.5 or 1.12.1.
- Users must ensure that snippet annotations remain enabled in these new versions of ingress-nginx for SAS Viya to continue to function.
- SAS Viya does not function correctly with snippet annotations disabled. Refer to ingress-nginx Vulnerability Mitigation for details about the requirement for snippet annotations.
If you have questions or concerns, contact SAS Technical Support.