diff --git a/roles/baseline/defaults/main.yml b/roles/baseline/defaults/main.yml
index a963f05a..26a0816f 100644
--- a/roles/baseline/defaults/main.yml
+++ b/roles/baseline/defaults/main.yml
@@ -54,9 +54,6 @@ INGRESS_NGINX_CONFIG:
 
     config:
       use-forwarded-headers: "true"
-      allow-snippet-annotations: "true"
-      large-client-header-buffers: "4 32k"
-      annotation-value-word-blocklist: "load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},\\"
     tcp: {}
     udp: {}
     lifecycle:
@@ -65,6 +62,15 @@ INGRESS_NGINX_CONFIG:
           command: ["/bin/sh", "-c", "sleep 5; /usr/local/nginx/sbin/nginx -c /etc/nginx/nginx.conf -s quit; while pgrep -x nginx; do sleep 1; done"]
     terminationGracePeriodSeconds: 600
 
+# Ingress-nginx - CVE-2021-25742 Mitigation
+INGRESS_NGINX_CVE_2021_25742_PATCH:
+  controller:
+    config:
+      allow-snippet-annotations: "true"
+      large-client-header-buffers: "4 32k"
+      use-forwarded-headers: "true"
+      annotation-value-word-blocklist: "load_module,lua_package,_by_lua,location,root,proxy_pass,serviceaccount,{,},\\"
+
 ## Nfs-subdir-external-provisioner
 NFS_CLIENT_NAME: nfs-subdir-external-provisioner
 NFS_CLIENT_NAMESPACE: nfs-client
diff --git a/roles/baseline/tasks/ingress-nginx.yaml b/roles/baseline/tasks/ingress-nginx.yaml
index bac65b7a..d151ce4e 100644
--- a/roles/baseline/tasks/ingress-nginx.yaml
+++ b/roles/baseline/tasks/ingress-nginx.yaml
@@ -28,6 +28,23 @@
     - install
     - update
 
+- name: Apply Mitigation for CVE-2021-25742
+  block:
+    - name: Retreive K8s cluster information
+      community.kubernetes.k8s_cluster_info:
+        kubeconfig: "{{ KUBECONFIG }}"
+      register: cluster_info
+    - name: Update INGRESS_NGINX_CONFIG
+      set_fact:
+        INGRESS_NGINX_CONFIG: "{{ INGRESS_NGINX_CONFIG|combine(INGRESS_NGINX_CVE_2021_25742_PATCH, recursive=True)}}"
+      when:
+        - cluster_info.version.server.kubernetes.minor is version(ingressVersions.k8sMinorVersionFloor.value, 'ge')
+        - INGRESS_NGINX_CHART_VERSION is version('4.0.10', ">=") or
+          (INGRESS_NGINX_CHART_VERSION is version('3.40.0', ">=") and INGRESS_NGINX_CHART_VERSION is version('4.0.0', "<"))
+  tags:
+    - install
+    - update
+
 - name: Deploy ingress-nginx
   community.kubernetes.helm:
     name: "{{ INGRESS_NGINX_NAME }}"