Security Vulnerabilities Discovered in nginx HTTP/3 Implementation

By admin

On February 14, 2024, Sergey Kandaurov from reported two critical security vulnerabilities affecting the HTTP/3 implementation in nginx servers. These vulnerabilities, identified as CVE-2024-24989 and CVE-2024-24990, pose significant risks as they could potentially allow malicious actors to exploit a specially crafted QUIC session, resulting in a worker process crash or other potential impacts.

The vulnerabilities specifically affect nginx instances compiled with the ngx_http_v3_module, though it’s important to note that this module is not compiled by default. If the “quic” option of the “listen” directive is utilized in the server’s configuration file, the system becomes vulnerable.

These security flaws have been confirmed to impact nginx versions 1.25.0 through 1.25.3. However, nginx swiftly addressed these issues with the release of version 1.25.4, which includes the necessary fixes to mitigate these vulnerabilities.

Website administrators and system operators are strongly urged to update their nginx installations to version 1.25.4 or later to ensure the security and stability of their web servers. Prompt action is recommended to prevent potential exploitation of these vulnerabilities and to maintain the integrity of nginx-powered web infrastructures.

For further details and updates regarding this security advisory, users are encouraged to refer to the nginx-announce mailing list.