https://spaceraccoon.github.io/vulnerability-spoiler-alert Vulnerability alerts for nginx/nginx en-us Fri, 17 Apr 2026 01:52:35 GMT https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/104 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/104 Tue, 24 Mar 2026 15:49:30 GMT In the nginx stream SSL module, the OCSP (Online Certificate Status Protocol) certificate revocation check was not being performed during client certificate validation. The code would verify the certificate chain but skip the OCSP status check, allowing clients with revoked certificates to successfully authenticate. The patch adds the missing `ngx_ssl_ocsp_get_status()` call that properly checks and enforces OCSP certificate revocation status. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/103 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/103 Tue, 24 Mar 2026 14:49:11 GMT On 32-bit platforms, multiplying a uint32_t `entries` value by the size of a struct (also size_t/32-bit) could overflow before being compared to the uint64_t `atom_data_size`. This allowed an attacker to craft a malicious MP4 file with a large entries count that, after overflow, appeared to pass the size validation check, causing nginx to process entries beyond the allocated buffer boundaries with out-of-bounds reads and writes. The fix casts `entries` to uint64_t before multiplication to prevent the overflow. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/102 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/102 Tue, 24 Mar 2026 14:48:53 GMT When nginx WebDAV module (ngx_http_dav_module) processed COPY or MOVE requests with an alias directive configured, supplying a Destination header with a URI shorter than the alias prefix caused an integer underflow in ngx_http_map_uri_to_path(). The underflow resulted in a heap buffer overwrite, which could allow an attacker to manipulate source or destination file paths to be outside the configured location root (path traversal via memory corruption). The patch adds a validation check that rejects Destination URIs shorter than the alias length before the vulnerable path mapping occurs. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/101 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/101 Tue, 24 Mar 2026 14:48:33 GMT Before the patch, when nginx's mail module resolved a client's IP address to a hostname, it used the resolved hostname without validation in auth_http requests and SMTP proxy communications. An attacker controlling DNS responses could return a hostname containing newlines, spaces, or other special characters, enabling injection of arbitrary headers into auth_http requests or arbitrary SMTP commands into the proxied SMTP session. The patch validates that the resolved hostname only contains RFC 1034-compliant characters (letters, digits, hyphens, dots). high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/100 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/100 Tue, 24 Mar 2026 14:48:12 GMT When authenticating with CRAM-MD5 or APOP methods, the code set `s->passwd.data = NULL` but did not reset `s->passwd.len`. On a subsequent authentication attempt, the non-zero length would cause the code to attempt to use the null pointer as if it pointed to valid password data, resulting in a null pointer dereference and worker process crash. The fix uses `ngx_str_null(&s->passwd)` which correctly zeroes both the data pointer and the length. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/99 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/99 Tue, 24 Mar 2026 14:23:08 GMT The nginx mp4 module had off-by-one errors in bounds checking for stco and co64 atoms. When `trak->start_chunk` equaled `trak->chunks` (i.e., pointing exactly past the end of the chunks array), the old check `trak->start_chunk > trak->chunks` would pass, allowing out-of-bounds memory access. Similarly, empty stsz sample arrays could be processed leading to buffer overread/overwrite. The patch changes `>` to `>=` to properly reject these boundary cases. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/59 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/59 Fri, 27 Feb 2026 15:44:28 GMT Before the patch, the QUIC stateless reset token was derived only from a shared secret and the connection ID, making the token identical across workers. In a multi-worker configuration with packet steering, an attacker could intentionally route a victim connection's packet to a different worker to trigger emission/observation of the stateless reset token, then forge a QUIC Stateless Reset to immediately terminate the victim connection (remote DoS). The patch binds the derived token to the worker number by incorporating ngx_worker into the KDF input, making tokens differ per worker and preventing cross-worker token acquisition/abuse. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/58 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/58 Fri, 27 Feb 2026 15:44:07 GMT Before the patch, the QUIC OpenSSL compatibility keylog callback discarded failures from ngx_quic_compat_set_encryption_secret(). Under memory pressure (allocation failure), the encryption context (secret->ctx) could remain NULL, yet ngx_quic_compat_create_record() would proceed to encrypt and dereference the NULL ctx, crashing the NGINX worker. The patch checks the return value, marks the QUIC connection as errored to fail the handshake cleanly, and adds a NULL guard in record creation to prevent the crash. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/56 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/56 Thu, 26 Feb 2026 14:19:34 GMT Before the patch, nginx would generate and send a QUIC Stateless Reset for every incoming packet that triggered the stateless reset path, with no per-source rate limiting. An attacker could spoof many UDP packets (often with spoofed source IPs) to force the server to spend CPU on hashing/random generation and to emit many Stateless Reset packets, creating resource exhaustion and reflected traffic. The patch adds a per-second Bloom-filter-based limiter keyed by source address so repeated triggers from the same address are declined. medium unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/46 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/46 Mon, 23 Feb 2026 10:32:03 GMT The code failed to validate that sync sample values in MP4 stss atoms are 1-based as required by ISO 14496-12. A zero-valued stss entry caused the key_prefix calculation to exceed consumed samples, leading the backward loop in ngx_http_mp4_crop_stts_data() to walk past the beginning of the stts data buffer, causing out-of-bounds memory access. high unverified https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/27 https://github.com/spaceraccoon/vulnerability-spoiler-alert/issues/27 Tue, 17 Feb 2026 13:53:09 GMT The vulnerability allows attackers to cause a mismatch between the Content-Length header sent to SCGI backends and the actual request body size in unbuffered mode. This can lead to HTTP request smuggling or desynchronization between nginx and SCGI backends, potentially allowing request smuggling attacks. medium unverified