Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Summary
The nginx-ui application is vulnerable to a Race Condition. Due to the complete absence of synchronization mechanisms (Mutex) and non-atomic file writes, concurrent requests lead to the severe corruption of the primary configuration file (app.ini). This vulnerability results in a persistent Denial of Service (DoS) and introduces a non-deterministic path for Remote Code Execution (RCE) through configuration cross-contamination.
Details
The vulnerability exists because the settings update pipeline does not implement any synchronization primitives. When multiple requests reach the handler simultaneously:
- Memory Corruption:
ProtectedFill()modifies shared global singleton pointers without thread-safety, leading to inconsistent states in memory. - File Corruption: The underlying library (
gopkg.in/ini.v1) performs direct overwrites. Concurrent write operations interleave at the OS level, resulting inapp.inifiles with empty leading lines, truncated fields, or partially overwritten configuration keys. - State Persistent Failure: Depending on which bytes are corrupted, the application either fails its "is-installed" check (redirecting to
/install) or encounters a fatal error during boot/runtime that prevents the process from responding to any further requests.
Environment:
- OS: Kali Linux 6.17.10-1kali1 (6.17.10+kali-amd64)
- Application Version: nginx-ui v2.3.3 (513) e5da6dd (go1.26.0)
- Deployment: Docker Container
PoC
- Check original app.ini file valid state:
<img width="524" height="367" alt="image" src="https://github.com/user-attachments/assets/d9688f76-7fe7-46ea-9eb9-c55bf40918a6" />
- Log in to the
nginx-uidashboard. - Navigate to Preferences and update settings. Capture a
POST /api/settingsrequest and send it to Burp Suite Intruder. - Configure the attack with Null payloads (to test basic concurrency) or a Fuzzing list (to test data-driven corruption).
- Set the Resource Pool to 20-50 concurrent requests.
<img width="1188" height="776" alt="image" src="https://github.com/user-attachments/assets/403eef43-2bc6-4651-8802-15ddcb4f7631" />
- Observation (In-flight corruption): Monitor the
app.inifile. You will observe the file being written with empty leading lines or incomplete key-value pairs.
- <img width="1316" height="390" alt="image" src="https://github.com/user-attachments/assets/d99553f7-d253-4525-9b45-f59994e69180" />
------------------------------------------------
- <img width="1368" height="709" alt="image" src="https://github.com/user-attachments/assets/7522ba29-39f1-4c22-88f2-8e859cdb1984" />
- Observation (Recovery Failure): If the service redirects to
/install, attempting to complete the setup again often fails because the underlying configuration state is too corrupted to be reconciled by the installer logic. - Observation (Total Service Collapse): When the corruption in
app.inibecomes so severe, the Go runtime or the INI parser encounters a fatal error, causing the Nginx-UI service to stop responding entirely (Hard DoS).
<img width="1344" height="542" alt="image" src="https://github.com/user-attachments/assets/da4b99dc-ddce-4b79-b0bb-2d634bdd3bf7" />
- Observation (Cross-Section Contamination): During testing, it was observed that sometimes INI sections become interleaved. For example, fields belonging to the
[nginx]section (likeConfigDirorReloadCmd) were erroneously written under the[webauthn]section.
Example of corrupted output observed:
[webauthn]
RPDisplayName =
RPID =
RPOrigins =
gDirWhiteList =
ConfigDir = /etc/nginx
ConfigPath =
PIDPath = /run/nginx.pid
SbinPath =
TestConfigCmd =
ReloadCmd = nginx -s reload
RestartCmd = nginx -s stop
StubStatusPort = 51820
ContainerName =Impact
This is a High security risk (CWE-362: Race Condition).
- Integrity: Permanent corruption of application settings and system-level configuration.
- Availability: High. The attack results in a persistent Denial of Service that cannot be recovered via the web UI.
- Remote Code Execution (RCE) Risk: Since the application allows updating certain fields (like Node Name) and uses others as shell commands (like ReloadCmd or RestartCmd), the observed "cross-contamination" of INI values means an attacker could potentially force a user-controlled string into a command execution field. If ReloadCmd is overwritten with a malicious payload provided in another field, the next nginx reload will execute that payload. While highly impactful, this specific exploit path is non-deterministic and depends on the precise interleaving of thread execution, making targeted exploitation difficult.
Recommended Mitigation
- Implement Mutex Locking: Wrap the
ProtectedFillandsettings.Save()calls in async.Mutexto serialize access to global settings. - Atomic File Writes: Implement a "write-then-rename" strategy. Write the new configuration to
app.ini.tmpand useos.Rename()to replace the original file atomically, ensuring the configuration file is always in a valid state.
A patched version of nginx-ui is available at https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4.
AnalysisAI
Race condition in nginx-ui web interface allows remote authenticated attackers to corrupt the primary configuration file (app.ini) through concurrent API requests, resulting in persistent denial of service and potential remote code execution. The vulnerability affects nginx-ui versions prior to 2.3.4 deployed in production environments including Docker containers. Concurrent POST requests to /api/settings trigger unsynchronized file writes that interleave at the OS level, corrupting configuration sections and creating cross-contamination between INI fields. In non-deterministic scenarios, user-controlled input can overwrite shell command fields (ReloadCmd, RestartCmd), enabling arbitrary command execution during nginx reload operations. Public exploit code demonstrates the attack path using standard HTTP testing tools. No CISA KEV listing or EPSS data available at time of analysis, but proof-of-concept with detailed reproduction steps exists in the GitHub security advisory.
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac
Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l
Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2
An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at
Same weakness CWE-362 – Race Condition
View allSame technique Race Condition
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17152
GHSA-m468-xcm6-fxg4