KB-2335 Information about the Kubernetes ingress-nginx controller vulnerability (CVE-2025-1974, CVE-2025-24513, CVE-2025-24514, CVE-2025-1097, & CVE-2025-1098)

On 24-Mar-2025, Wiz announced the discovery of a series of CVEs in the Ingress NGINX Controller for Kubernetes. These findings were reported to Kubernetes who later announced patches for ingress-nginx.  

Upon assessing the Appian platform against all details of the CVEs, we can confirm that the Appian platform is not impacted. Appian does deploy ingress-nginx in multiple partitions of the platform; however, these deployments do not make use of the admissionWebhooks component which is the underlying impacted feature.

While our current implementation is not affected, we are prioritizing upgrades of our ingress-nginx deployments to the latest version as a precautionary safety measure.

IMPORTANT: Self-managed Appian on Kubernetes is not shipped with ingress-nginx. If your environment uses the Ingress NGINX Controller to expose Appian, please review to confirm your version and upgrade to a secure one if necessary.

Additional Notes

The following CVEs were released with additional information on the scope of the vulnerability:

• https://nvd.nist.gov/vuln/detail/CVE-2025-1974 
• https://nvd.nist.gov/vuln/detail/CVE-2025-24513 
• https://nvd.nist.gov/vuln/detail/CVE-2025-24514 
• https://nvd.nist.gov/vuln/detail/CVE-2025-1097 
• https://nvd.nist.gov/vuln/detail/CVE-2025-1098 

Supporting Documentation

• https://kubernetes.io/blog/2025/03/24/ingress-nginx-cve-2025-1974

Affected Versions

This article applies to Appian Cloud.

Last reviewed: March 26, 2025