Nginx Plus
Monthly
Limited memory disclosure and worker-process restart in NGINX Plus and NGINX Open Source arise when the optional ngx_http_slice_module is compiled in and configured alongside unnamed regex captures, or when a background cache update occurs, letting remote attackers trigger uninitialized memory access (CWE-908) in the data plane. The CVSS:4.0 vector (AV:N/AC:L/PR:N/UI:N) indicates unauthenticated network exploitation with no user interaction, scored 8.8. There is no public exploit identified at time of analysis and no CISA KEV listing; F5 has released a patch and the issue does not affect the control plane.
Heap buffer over-read in NGINX Plus's MQTT filter module (ngx_stream_mqtt_filter_module) allows unauthenticated remote attackers to crash the NGINX worker process, causing a brief, recoverable service disruption. The vulnerability is data-plane only - no control plane exposure exists - and exploitation depends partly on runtime conditions outside the attacker's control, reflected by the CVSS 4.0 AT:P metric. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; F5 has released a patch documented in advisory K000162101.
Heap buffer over-read in the ngx_http_ssi_module of NGINX Open Source and NGINX Plus lets an unauthenticated man-in-the-middle attacker who can control upstream responses corrupt worker-process memory or crash the worker, but only in the non-default configuration combining Server-Side Includes, proxy_pass, and proxy_buffering off. The impact is confined to the data plane with no control-plane exposure, yielding limited memory modification and worker restarts (denial of service) rather than full code execution. No public exploit identified at time of analysis, though a vendor patch is available and the flaw carries a CVSS 4.0 score of 8.3.
Heap buffer overflow in NGINX Plus and NGINX Open Source lets unauthenticated remote attackers crash worker processes (DoS) and, on hosts with ASLR disabled or bypassed, potentially execute arbitrary code by sending crafted HTTP requests. The flaw is a data-plane-only issue triggered when a regex-based map directive references the map's regex capture variables before the map output variable in a string expression, or via a non-cacheable variable under certain conditions. F5 has released a patched version; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Heap buffer over-read in NGINX Plus and NGINX Open Source's ngx_http_charset_module exposes limited worker process memory or triggers a worker restart when remote unauthenticated attackers send crafted requests against a non-default charset conversion configuration. Exploitation requires both a specific dual-directive configuration (source_charset utf-8 alongside a differing charset directive such as koi8-r in the same location block) and content-dependent conditions outside the attacker's direct control, reflected in the CVSS AC:H rating. No public exploit code exists and this CVE does not appear in the CISA KEV catalog; the vendor F5 has published advisory K000161585 with patched version guidance.
Heap-based buffer overflow in NGINX Plus and NGINX Open Source affects deployments that proxy HTTP/2 or gRPC traffic upstream when ignore_invalid_headers is off and large_client_header_buffers exceeds 2 MB. Remote unauthenticated attackers sending oversized headers can crash the worker process, and where ASLR is disabled or bypassable, achieve arbitrary code execution. No public exploit identified at time of analysis and CISA SSVC marks exploitation as 'none', but technical impact is rated total.
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module can be triggered by unauthenticated remote attackers sending crafted HTTP requests that target rewrite directives using overlapping PCRE captures (e.g., $1$2 referencing ^/((.*))$) in redirect or arguments contexts. Impact ranges from worker process crash/restart to arbitrary code execution where ASLR is disabled or bypassed; publicly available exploit code exists, though EPSS exploitation probability is low (0.15%, 35th percentile) and the issue is not in CISA KEV.
NGINX Plus and NGINX Open Source configured with the HTTP/3 QUIC module allows unauthenticated remote attackers to spoof source IP addresses, enabling bypass of authorization checks and rate-limiting controls. The vulnerability affects both commercial and open-source variants when QUIC is explicitly enabled, with patches available from F5.
Memory disclosure and denial-of-service in NGINX's SCGI and uWSGI proxy modules allow attackers with man-in-the-middle position between NGINX and upstream servers to read worker process memory or crash the service. Affects both NGINX Open Source and NGINX Plus when scgi_pass or uwsgi_pass directives are configured. The vulnerability requires network positioning between NGINX and its backend servers (AV:N with AT:P - Present attack complexity), making exploitation dependent on network architecture. No public exploit identified at time of analysis. CVSS 8.3 (High) reflects potential for confidential data exposure but limited by MITM prerequisite.
Heap buffer over-read in NGINX's ngx_http_charset_module allows unauthenticated remote attackers to leak sensitive memory or crash worker processes when specific configuration directives (charset, source_charset, charset_map, and proxy_pass with buffering disabled) are combined. The vulnerability requires attacker-controlled conditions that depend on factors outside the attacker's control, limiting exploitability but creating real risk for affected deployments. CVSS 4.8 reflects the conditional nature of exploitation and limited scope of impact (information disclosure or availability).
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker processes and potentially execute code on systems without ASLR. The vulnerability requires specific rewrite directive configurations using PCRE captures with question marks in replacement strings, combined with attacker-crafted HTTP requests and conditions beyond the attacker's control. F5 has released patches addressing this critical flaw. EPSS data unavailable; no KEV listing or public exploit identified at time of analysis, though the specific configuration requirements and dependency on external conditions likely limit widespread exploitation despite the 9.2 CVSS score.
Heap-use-after-free in NGINX Plus and NGINX Open Source allows unauthenticated remote attackers to trigger memory corruption in the worker process when ssl_verify_client is set to 'on' or 'optional' and ssl_ocsp is configured with a resolver. Exploitation can cause limited information disclosure or worker process restart, with CVSS 4.8 reflecting moderate impact constrained by high attack complexity. No public exploit code or active exploitation has been identified at time of analysis.
NGINX worker process crashes via null pointer dereference in the mail authentication module when CRAM-MD5 or APOP authentication is configured with retry-enabled backend servers. This denial of service vulnerability affects NGINX Plus and NGINX Open Source with no patch currently available, allowing unauthenticated remote attackers to terminate worker processes and degrade service availability.
Buffer overflow in NGINX's DAV module allows remote attackers to crash worker processes or manipulate file names outside the document root when MOVE/COPY methods are combined with prefix location and alias directives. The vulnerability affects NGINX Open Source and NGINX Plus installations using vulnerable configurations, though the low-privilege worker process context limits the scope of file manipulation. No patch is currently available for this high-severity issue.
NGINX Open Source and NGINX Plus contain a buffer over-read or over-write vulnerability in the ngx_http_mp4_module that can lead to NGINX worker process termination or potentially remote code execution. An attacker with local access and the ability to supply a specially crafted MP4 file for processing can exploit this flaw when the mp4 directive is enabled in the configuration. The vulnerability has a CVSS score of 7.8 with high impact on confidentiality, integrity, and availability, though exploitation requires local access (AV:L) and low-level privileges (PR:L).
NGINX proxy configurations forwarding traffic to upstream TLS servers can be exploited by network-positioned attackers to inject unencrypted data into proxied responses, potentially compromising data integrity. This vulnerability affects NGINX OSS, NGINX Plus, and related products when specific upstream server conditions are present. No patch is currently available for this medium-severity issue.
NGINX Open Source and NGINX Plus have a vulnerability in the ngx_mail_smtp_module that might allow an unauthenticated attacker to over-read NGINX SMTP authentication process memory; as a result, the. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
When the NGINX Plus is configured to use the MQTT pre-read module, undisclosed requests can cause an increase in memory resource utilization. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_hls_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its crash or. Rated high severity (CVSS 7.0). No vendor patch available.
Limited memory disclosure and worker-process restart in NGINX Plus and NGINX Open Source arise when the optional ngx_http_slice_module is compiled in and configured alongside unnamed regex captures, or when a background cache update occurs, letting remote attackers trigger uninitialized memory access (CWE-908) in the data plane. The CVSS:4.0 vector (AV:N/AC:L/PR:N/UI:N) indicates unauthenticated network exploitation with no user interaction, scored 8.8. There is no public exploit identified at time of analysis and no CISA KEV listing; F5 has released a patch and the issue does not affect the control plane.
Heap buffer over-read in NGINX Plus's MQTT filter module (ngx_stream_mqtt_filter_module) allows unauthenticated remote attackers to crash the NGINX worker process, causing a brief, recoverable service disruption. The vulnerability is data-plane only - no control plane exposure exists - and exploitation depends partly on runtime conditions outside the attacker's control, reflected by the CVSS 4.0 AT:P metric. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; F5 has released a patch documented in advisory K000162101.
Heap buffer over-read in the ngx_http_ssi_module of NGINX Open Source and NGINX Plus lets an unauthenticated man-in-the-middle attacker who can control upstream responses corrupt worker-process memory or crash the worker, but only in the non-default configuration combining Server-Side Includes, proxy_pass, and proxy_buffering off. The impact is confined to the data plane with no control-plane exposure, yielding limited memory modification and worker restarts (denial of service) rather than full code execution. No public exploit identified at time of analysis, though a vendor patch is available and the flaw carries a CVSS 4.0 score of 8.3.
Heap buffer overflow in NGINX Plus and NGINX Open Source lets unauthenticated remote attackers crash worker processes (DoS) and, on hosts with ASLR disabled or bypassed, potentially execute arbitrary code by sending crafted HTTP requests. The flaw is a data-plane-only issue triggered when a regex-based map directive references the map's regex capture variables before the map output variable in a string expression, or via a non-cacheable variable under certain conditions. F5 has released a patched version; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Heap buffer over-read in NGINX Plus and NGINX Open Source's ngx_http_charset_module exposes limited worker process memory or triggers a worker restart when remote unauthenticated attackers send crafted requests against a non-default charset conversion configuration. Exploitation requires both a specific dual-directive configuration (source_charset utf-8 alongside a differing charset directive such as koi8-r in the same location block) and content-dependent conditions outside the attacker's direct control, reflected in the CVSS AC:H rating. No public exploit code exists and this CVE does not appear in the CISA KEV catalog; the vendor F5 has published advisory K000161585 with patched version guidance.
Heap-based buffer overflow in NGINX Plus and NGINX Open Source affects deployments that proxy HTTP/2 or gRPC traffic upstream when ignore_invalid_headers is off and large_client_header_buffers exceeds 2 MB. Remote unauthenticated attackers sending oversized headers can crash the worker process, and where ASLR is disabled or bypassable, achieve arbitrary code execution. No public exploit identified at time of analysis and CISA SSVC marks exploitation as 'none', but technical impact is rated total.
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module can be triggered by unauthenticated remote attackers sending crafted HTTP requests that target rewrite directives using overlapping PCRE captures (e.g., $1$2 referencing ^/((.*))$) in redirect or arguments contexts. Impact ranges from worker process crash/restart to arbitrary code execution where ASLR is disabled or bypassed; publicly available exploit code exists, though EPSS exploitation probability is low (0.15%, 35th percentile) and the issue is not in CISA KEV.
NGINX Plus and NGINX Open Source configured with the HTTP/3 QUIC module allows unauthenticated remote attackers to spoof source IP addresses, enabling bypass of authorization checks and rate-limiting controls. The vulnerability affects both commercial and open-source variants when QUIC is explicitly enabled, with patches available from F5.
Memory disclosure and denial-of-service in NGINX's SCGI and uWSGI proxy modules allow attackers with man-in-the-middle position between NGINX and upstream servers to read worker process memory or crash the service. Affects both NGINX Open Source and NGINX Plus when scgi_pass or uwsgi_pass directives are configured. The vulnerability requires network positioning between NGINX and its backend servers (AV:N with AT:P - Present attack complexity), making exploitation dependent on network architecture. No public exploit identified at time of analysis. CVSS 8.3 (High) reflects potential for confidential data exposure but limited by MITM prerequisite.
Heap buffer over-read in NGINX's ngx_http_charset_module allows unauthenticated remote attackers to leak sensitive memory or crash worker processes when specific configuration directives (charset, source_charset, charset_map, and proxy_pass with buffering disabled) are combined. The vulnerability requires attacker-controlled conditions that depend on factors outside the attacker's control, limiting exploitability but creating real risk for affected deployments. CVSS 4.8 reflects the conditional nature of exploitation and limited scope of impact (information disclosure or availability).
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker processes and potentially execute code on systems without ASLR. The vulnerability requires specific rewrite directive configurations using PCRE captures with question marks in replacement strings, combined with attacker-crafted HTTP requests and conditions beyond the attacker's control. F5 has released patches addressing this critical flaw. EPSS data unavailable; no KEV listing or public exploit identified at time of analysis, though the specific configuration requirements and dependency on external conditions likely limit widespread exploitation despite the 9.2 CVSS score.
Heap-use-after-free in NGINX Plus and NGINX Open Source allows unauthenticated remote attackers to trigger memory corruption in the worker process when ssl_verify_client is set to 'on' or 'optional' and ssl_ocsp is configured with a resolver. Exploitation can cause limited information disclosure or worker process restart, with CVSS 4.8 reflecting moderate impact constrained by high attack complexity. No public exploit code or active exploitation has been identified at time of analysis.
NGINX worker process crashes via null pointer dereference in the mail authentication module when CRAM-MD5 or APOP authentication is configured with retry-enabled backend servers. This denial of service vulnerability affects NGINX Plus and NGINX Open Source with no patch currently available, allowing unauthenticated remote attackers to terminate worker processes and degrade service availability.
Buffer overflow in NGINX's DAV module allows remote attackers to crash worker processes or manipulate file names outside the document root when MOVE/COPY methods are combined with prefix location and alias directives. The vulnerability affects NGINX Open Source and NGINX Plus installations using vulnerable configurations, though the low-privilege worker process context limits the scope of file manipulation. No patch is currently available for this high-severity issue.
NGINX Open Source and NGINX Plus contain a buffer over-read or over-write vulnerability in the ngx_http_mp4_module that can lead to NGINX worker process termination or potentially remote code execution. An attacker with local access and the ability to supply a specially crafted MP4 file for processing can exploit this flaw when the mp4 directive is enabled in the configuration. The vulnerability has a CVSS score of 7.8 with high impact on confidentiality, integrity, and availability, though exploitation requires local access (AV:L) and low-level privileges (PR:L).
NGINX proxy configurations forwarding traffic to upstream TLS servers can be exploited by network-positioned attackers to inject unencrypted data into proxied responses, potentially compromising data integrity. This vulnerability affects NGINX OSS, NGINX Plus, and related products when specific upstream server conditions are present. No patch is currently available for this medium-severity issue.
NGINX Open Source and NGINX Plus have a vulnerability in the ngx_mail_smtp_module that might allow an unauthenticated attacker to over-read NGINX SMTP authentication process memory; as a result, the. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
When the NGINX Plus is configured to use the MQTT pre-read module, undisclosed requests can cause an increase in memory resource utilization. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_hls_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its crash or. Rated high severity (CVSS 7.0). No vendor patch available.