Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AC:H reflects the required MITM control over upstream responses plus a non-default SSI/proxy_buffering-off config; PR:N as unauthenticated; C:N, I:L (limited memory modification), A:H (worker crash).
Primary rating from Vendor (f5).
CVSS VectorVendor: f5
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_ssi_module module. This vulnerability may exist when the Server-Side Includes (SSI), proxy_pass, and proxy_buffering off directives are configured. With this configuration, an unauthenticated attacker with man-in-the-middle (MITM) ability to control responses from an upstream server may be able to cause a heap buffer over-read in the NGINX worker process. This issue may lead to limited modification of memory or a restart of the NGINX worker process.
Impact: This vulnerability may allow remote attackers to have limited control to modify memory contents or restart the NGINX worker process. There is no control plane exposure; this is a data plane issue only.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Articles & Coverage 1
AnalysisAI
Heap buffer over-read in the ngx_http_ssi_module of NGINX Open Source and NGINX Plus lets an unauthenticated man-in-the-middle attacker who can control upstream responses corrupt worker-process memory or crash the worker, but only in the non-default configuration combining Server-Side Includes, proxy_pass, and proxy_buffering off. The impact is confined to the data plane with no control-plane exposure, yielding limited memory modification and worker restarts (denial of service) rather than full code execution. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires all three directives to be active: Server-Side Includes (ssi) enabled, proxy_pass configured, and proxy_buffering set to off - a non-default combination. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:H) scores 8.3 (High), but the real-world priority is meaningfully lower than that number suggests because of two constraints. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker positioned between NGINX and its upstream (e.g., via ARP spoofing, a compromised network segment, or an untrusted upstream link) waits for NGINX - configured with SSI, proxy_pass, and proxy_buffering off - to proxy a request. The attacker tampers with the upstream response to include crafted content that triggers the SSI parser's out-of-bounds read, causing limited memory modification or a worker-process restart (denial of service). … |
| Remediation | Apply the F5-provided update; a patch is available per vendor advisory (exact fixed version not specified in the available data - confirm the target release in F5 article K000162098 at https://my.f5.com/manage/s/article/K000162098). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, audit your NGINX deployments to identify instances using the vulnerable configuration: Server-Side Includes (SSI) enabled, proxy_pass configured, and proxy_buffering disabled. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Nginx Plus
View allHeap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker
Heap-based buffer overflow in NGINX Plus and NGINX Open Source affects deployments that proxy HTTP/2 or gRPC traffic ups
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module can be triggered by unauthenticated rem
Heap buffer overflow in NGINX Plus and NGINX Open Source lets unauthenticated remote attackers crash worker processes (D
Buffer overflow in NGINX's DAV module allows remote attackers to crash worker processes or manipulate file names outside
Limited memory disclosure and worker-process restart in NGINX Plus and NGINX Open Source arise when the optional ngx_htt
NGINX worker process crashes via null pointer dereference in the mail authentication module when CRAM-MD5 or APOP authen
When the NGINX Plus is configured to use the MQTT pre-read module, undisclosed requests can cause an increase in memory
NGINX Open Source and NGINX Plus contain a buffer over-read or over-write vulnerability in the ngx_http_mp4_module that
Memory disclosure and denial-of-service in NGINX's SCGI and uWSGI proxy modules allow attackers with man-in-the-middle p
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker p
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker p
Same weakness CWE-416 – Use After Free
View allSame technique Use After Free
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44684
GHSA-m73p-xg7q-m8f2