NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_proxy_v2_module and ngx_http_grpc_module modules. This vulnerability exists when the proxy_http_version to 2 or grpc_pass directives are used to proxy HTTP/2 traffic, the ignore_invalid_headers directive is set to off, and the large_client_header_buffers directive size is larger than 2 megabytes. A remote, unauthenticated attacker, along with conditions beyond their control, could send large headers while creating an upstream request. This may cause a heap-based buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Dos | F5 | 4.9.0 (including) | 4.9.0 (including) |
| Nginx_app_protect_dos | F5 | 4.3.0 (including) | 4.7.0 (including) |
| Nginx_app_protect_waf | F5 | 4.10.0 (including) | 4.16.0 (including) |
| Nginx_app_protect_waf | F5 | 5.2.0 (including) | 5.8.0 (including) |
| Nginx_gateway_fabric | F5 | 1.3.0 (including) | 1.6.2 (including) |
| Nginx_gateway_fabric | F5 | 2.0.0 (including) | 2.6.4 (excluding) |
| Nginx_ingress_controller | F5 | 3.5.0 (including) | 3.7.2 (including) |
| Nginx_ingress_controller | F5 | 5.0.0 (including) | 5.5.1 (excluding) |
| Nginx_ingress_controller | F5 | 4.0.0 (including) | 4.0.0 (including) |
| Nginx_ingress_controller | F5 | 4.0.1 (including) | 4.0.1 (including) |
| Nginx_instance_manager | F5 | 2.17.0 (including) | 2.22.0 (including) |
| Nginx_open_source | F5 | 1.30.0 (including) | 1.30.3 (excluding) |
| Nginx_open_source | F5 | 1.31.1 (including) | 1.31.1 (including) |
| Nginx_plus | F5 | 37.0.0 (including) | 37.0.1 (including) |
| Nginx_plus | F5 | r3 (including) | r3 (including) |
| Nginx_plus | F5 | r30 (including) | r30 (including) |
| Nginx_plus | F5 | r30-p1 (including) | r30-p1 (including) |
| Nginx_plus | F5 | r30-p2 (including) | r30-p2 (including) |
| Nginx_plus | F5 | r31 (including) | r31 (including) |
| Nginx_plus | F5 | r31-p1 (including) | r31-p1 (including) |
| Nginx_plus | F5 | r31-p2 (including) | r31-p2 (including) |
| Nginx_plus | F5 | r31-p3 (including) | r31-p3 (including) |
| Nginx_plus | F5 | r32 (including) | r32 (including) |
| Nginx_plus | F5 | r32-p1 (including) | r32-p1 (including) |
| Nginx_plus | F5 | r32-p2 (including) | r32-p2 (including) |
| Nginx_plus | F5 | r32-p3 (including) | r32-p3 (including) |
| Nginx_plus | F5 | r32-p4 (including) | r32-p4 (including) |
| Nginx_plus | F5 | r33 (including) | r33 (including) |
| Nginx_plus | F5 | r33-p1 (including) | r33-p1 (including) |
| Nginx_plus | F5 | r33-p2 (including) | r33-p2 (including) |
| Nginx_plus | F5 | r33-p3 (including) | r33-p3 (including) |
| Nginx_plus | F5 | r34 (including) | r34 (including) |
| Nginx_plus | F5 | r34-p1 (including) | r34-p1 (including) |
| Nginx_plus | F5 | r34-p2 (including) | r34-p2 (including) |
| Nginx_plus | F5 | r35 (including) | r35 (including) |
| Nginx_plus | F5 | r35-p1 (including) | r35-p1 (including) |
| Nginx_plus | F5 | r36 (including) | r36 (including) |
| Nginx_plus | F5 | r36-p1 (including) | r36-p1 (including) |
| Nginx_plus | F5 | r36-p2 (including) | r36-p2 (including) |
| Nginx_plus | F5 | r36-p3 (including) | r36-p3 (including) |
| Nginx_plus | F5 | r36-p4 (including) | r36-p4 (including) |
| Nginx_plus | F5 | r36-p5 (including) | r36-p5 (including) |
| Waf | F5 | 5.9.0 (including) | 5.13.1 (including) |
| Waf | F5 | 4.8.1 (including) | 4.8.1 (including) |
| Red Hat Enterprise Linux 10 | RedHat | nginx-2:1.26.3-6.el10_2.5 | * |
| Red Hat Enterprise Linux 9 | RedHat | nginx-2:1.20.1-28.el9_8.4 | * |
| Red Hat Enterprise Linux 9 | RedHat | nginx:1.24-9080020260707164406.9 | * |
| Red Hat Enterprise Linux 9 | RedHat | nginx:1.26-9080020260707110000.9 | * |
| Red Hat Hardened Images | RedHat | nginx-main-1.30.3-2.hum1 | * |
| Nginx | Ubuntu | devel | * |
| Nginx | Ubuntu | jammy | * |
| Nginx | Ubuntu | noble | * |
| Nginx | Ubuntu | questing | * |
| Nginx | Ubuntu | resolute | * |
| Nginx | Ubuntu | upstream | * |