vulnerability exists in NGINX Plus and NGINX Open Source
Summary
A vulnerability exists in NGINX Plus and NGINX Open Source when a map directive uses regex matching and a string expression references the map's regex capture variables before referencing the map output variable. Alternatively, the same result could be achieved by using a non-cacheable variable in a string expression under certain conditions. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Impact: This vulnerability may allow remote attackers to cause a denial-of-service (DoS) on the NGINX system or to possibly trigger a code execution. There is no control plane exposure; this is a data plane issue only. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
What this means
In plain English
A vulnerability exists in NGINX Plus and NGINX Open Source when a map directive uses regex matching and a string expression references the map's regex capture variables before referencing the map output variable. Alternatively, the same result could be achieved by using a non-cacheable variable in a string expression under certain conditions. An unauthenticated attacker along with conditions beyond their control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. The official description indicates that exploitation does not require prior authentication. Successful exploitation can let an attacker run code in the security context of the affected service or device.
Recommended action
Primary action: update to a vendor-listed fixed release: 37.0.3.1, R36 P7, 1.31.3, 1.30.4.
Rewritten locally from the scraped official advisory data above; no generative API is used. The vendor advisory is authoritative.
- NGINX Plus 37.0.0.1 before 37.0.3.1
- NGINX Plus R36 before R36 P7
- NGINX Plus R33
- NGINX Open Source 1.31.2 before 1.31.3
- NGINX Open Source 0.9.6 before 1.30.4
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
- 37.0.3.1
- R36 P7
- 1.31.3
- 1.30.4
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Mitigation
Upgrade to a fixed release: 37.0.3.1, R36 P7, 1.31.3, 1.30.4. That is the remediation for this advisory.
The vendor advisory may list additional interim mitigations or workarounds not captured here — review it before change work.
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.