NGINX 1.27.0 Fixes 4 HTTP/3 Vulnerabilities

The first release of the new main branch nginx 1.27.0 has been presented, marking the continuation of development of new capabilities. Alongside this, production of nginx 1.26.1 has been formed, which belongs to a parallel supported stabilic branch and includes changes related to fixing serious errors and vulnerabilities. A stable branch 1.28 will be established next year based on the main branch 1.27.x. The project code is written in the SI language and is distributed under the BSD license.

Four vulnerabilities have been discovered in the new release, affecting the experimental module ngx_http_v3 (disabled by default) which supports the HTTP/3 protocol as transport for http/2. One of the vulnerabilities, CVE-2024-34161, results in a memory leak in the working process on systems with mtu greater than 4096 bytes.

Other vulnerabilities such as CVE-2024-31079, CVE-2024-32760, and CVE-2024-35200 are caused by memory corruption, allowing remote attackers to forcibly terminate NGINX’s working process through specialized QUIC session installations. These vulnerabilities have potential consequences such as executing attacker code. The vulnerabilities are only exposed when the ngx_http_v3_module module is activated with the QUIC option in the Listen Directive. No reports have been made regarding the forks angie and Freenginx being affected.

Among the changes in nginx 1.27.0 to address vulnerabilities include:

  • Support for indicating variables in the “Proxy_limit_rate”, “Fastcgi_limit_rate”, “SCGI_Limit_Rate”, and “Uwsgi_limit_rate” directives.
  • Reduced memory consumption in processing long-live queries for configurations using Directives like “GZIP”, “Gunzip”, “SSI”, “Sub_filter”, or “GRPC_PASS”.
/Reports, release notes, official announcements.