F5 Networks Nginx Open Source

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in F5 Networks Nginx Open Source.

By the Year

In 2026 there have been 1 vulnerability in F5 Networks Nginx Open Source with an average score of 5.9 out of ten. Last year, in 2025 Nginx Open Source had 2 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Nginx Open Source in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 1.90.

Year	Vulnerabilities	Average Score
2026	1	5.90
2025	2	4.00
2024	7	5.94

It may take a day or so for new Nginx Open Source vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent F5 Networks Nginx Open Source Security Vulnerabilities

A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers
CVE-2026-1642 5.9 - Medium - February 04, 2026

A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server sidealong with conditions beyond the attacker's controlmay be able to inject plain text data into the response from an upstream proxied server. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Acceptance of Extraneous Untrusted Data With Trusted Data

NGINX ngx_mail_smtp_module Memory Over-read Leakage in SMTP Auth
CVE-2025-53859 3.7 - Low - August 13, 2025

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_mail_smtp_module that might allow an unauthenticated attacker to over-read NGINX SMTP authentication process memory; as a result, the server side may leak arbitrary bytes sent in a request to the authentication server. This issue happens during the NGINX SMTP authentication process and requires the attacker to make preparations against the target system to extract the leaked data. The issue affects NGINX only if (1) it is built with the ngx_mail_smtp_module, (2) the smtp_auth directive is configured with method "none," and (3) the authentication server returns the "Auth-Wait" response header. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Out-of-bounds Read

Nginx TLS Session Resumption Bypass on Shared IP/Port with ClientCert Auth
CVE-2025-23419 4.3 - Medium - February 05, 2025

When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when TLS Session Tickets https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key are used and/or the SSL session cache https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache are used in the default server and the default server is performing client certificate authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

AuthZ

NGINX ngx_http_mp4 overflow crash via crafted MP4
CVE-2024-7347 4.7 - Medium - August 14, 2024

NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module, which might allow an attacker to over-read NGINX worker memory resulting in its termination, using a specially crafted mp4 file. The issue only affects NGINX if it is built with the ngx_http_mp4_module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted mp4 file with the ngx_http_mp4_module. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Buffer Over-read

NGINX: Worker Crashes via Undisclosed HTTP/3 QUIC Requests
CVE-2024-35200 5.3 - Medium - May 29, 2024

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate.

NULL Pointer Dereference

NGINX QUIC Packet Leak: Undisclosed QUIC Causes Worker Process Memory Leak
CVE-2024-34161 5.3 - Medium - May 29, 2024

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module and the network infrastructure supports a Maximum Transmission Unit (MTU) of 4096 or greater without fragmentation, undisclosed QUIC packets can cause NGINX worker processes to leak previously freed memory.

Dangling pointer

NGINX HTTP/3 QUIC Encoder Crash in NGINX Plus/OSS
CVE-2024-32760 6.5 - Medium - May 29, 2024

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 encoder instructions can cause NGINX worker processes to terminate or cause or other potential impact.

Memory Corruption

NGINX HTTP/3 QUIC Module Process Termination via Undisclosed Requests
CVE-2024-31079 4.8 - Medium - May 29, 2024

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate or cause other potential impact. This attack requires that a request be specifically timed during the connection draining process, which the attacker has no visibility and limited influence over.

Memory Corruption

NGINX HTTP/3 QUIC Module Crashes Workers on Undisclosed Requests
CVE-2024-24990 7.5 - High - February 14, 2024

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3 https://nginx.org/en/docs/quic.html . Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

Dangling pointer

NGINX QUIC Crash via Undisclosed HTTP/3 Requests (CVE-2024-24989)
CVE-2024-24989 7.5 - High - February 14, 2024

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3 https://nginx.org/en/docs/quic.html . NOTE: Software versions which have reached End of Technical Support (EoTS) are not evaluated

NULL Pointer Dereference

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for F5 Networks Nginx Open Source or by F5 Networks? Click the Watch button to subscribe.

F5 Networks
Vendor

F5 Networks Nginx Open Source
Product

F5 Networks Nginx Open Source

Don't miss out!

By the Year

Recent F5 Networks Nginx Open Source Security Vulnerabilities

A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers CVE-2026-1642 5.9 - Medium - February 04, 2026

NGINX ngx_mail_smtp_module Memory Over-read Leakage in SMTP Auth CVE-2025-53859 3.7 - Low - August 13, 2025

Nginx TLS Session Resumption Bypass on Shared IP/Port with ClientCert Auth CVE-2025-23419 4.3 - Medium - February 05, 2025

NGINX ngx_http_mp4 overflow crash via crafted MP4 CVE-2024-7347 4.7 - Medium - August 14, 2024

NGINX: Worker Crashes via Undisclosed HTTP/3 QUIC Requests CVE-2024-35200 5.3 - Medium - May 29, 2024

NGINX QUIC Packet Leak: Undisclosed QUIC Causes Worker Process Memory Leak CVE-2024-34161 5.3 - Medium - May 29, 2024

NGINX HTTP/3 QUIC Encoder Crash in NGINX Plus/OSS CVE-2024-32760 6.5 - Medium - May 29, 2024

NGINX HTTP/3 QUIC Module Process Termination via Undisclosed Requests CVE-2024-31079 4.8 - Medium - May 29, 2024

NGINX HTTP/3 QUIC Module Crashes Workers on Undisclosed Requests CVE-2024-24990 7.5 - High - February 14, 2024

NGINX QUIC Crash via Undisclosed HTTP/3 Requests (CVE-2024-24989) CVE-2024-24989 7.5 - High - February 14, 2024