NGINX NGINX Makers of nginx server

  1. Vendors
  2. NGINX

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any NGINX product.

RSS Feeds for NGINX security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in NGINX products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by NGINX Sorted by Most Security Vulnerabilities since 2018

nginx28 vulnerabilities
Popular web server

NGINX Njs28 vulnerabilities

NGINX Unit1 vulnerability

By the Year

In 2026 there have been 0 vulnerabilities in NGINX. Last year, in 2025 NGINX had 1 security vulnerability published. Right now, NGINX is on track to have less security vulnerabilities in 2026 than it did last year.




Year Vulnerabilities Average Score
2026 0 0.00
2025 1 4.30
2024 6 5.85
2023 5 8.42
2022 16 7.33
2021 2 8.75
2020 5 5.92
2019 12 8.68
2018 3 7.03

It may take a day or so for new NGINX vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent NGINX Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2025-23419 Feb 05, 2025
Nginx TLS Session Resumption Bypass on Shared IP/Port with ClientCert Auth When multiple server blocks are configured to share the same IP address and port, an attacker can use session resumption to bypass client certificate authentication requirements on these servers. This vulnerability arises when TLS Session Tickets https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key are used and/or the SSL session cache https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_cache are used in the default server and the default server is performing client certificate authentication.   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
nginx
CVE-2024-7347 Aug 14, 2024
NGINX ngx_http_mp4 overflow crash via crafted MP4 NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module, which might allow an attacker to over-read NGINX worker memory resulting in its termination, using a specially crafted mp4 file. The issue only affects NGINX if it is built with the ngx_http_mp4_module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted mp4 file with the ngx_http_mp4_module.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
nginx
CVE-2024-34161 May 29, 2024
NGINX QUIC Packet Leak: Undisclosed QUIC Causes Worker Process Memory Leak When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module and the network infrastructure supports a Maximum Transmission Unit (MTU) of 4096 or greater without fragmentation, undisclosed QUIC packets can cause NGINX worker processes to leak previously freed memory.
nginx
CVE-2024-35200 May 29, 2024
NGINX: Worker Crashes via Undisclosed HTTP/3 QUIC Requests When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate.
nginx
CVE-2024-31079 May 29, 2024
NGINX HTTP/3 QUIC Module Process Termination via Undisclosed Requests When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate or cause other potential impact. This attack requires that a request be specifically timed during the connection draining process, which the attacker has no visibility and limited influence over.
nginx
CVE-2024-24989 Feb 14, 2024
NGINX QUIC Crash via Undisclosed HTTP/3 Requests (CVE-2024-24989) When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3 https://nginx.org/en/docs/quic.html . NOTE: Software versions which have reached End of Technical Support (EoTS) are not evaluated
nginx
CVE-2024-24990 Feb 14, 2024
NGINX HTTP/3 QUIC Module Crashes Workers on Undisclosed Requests When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3 https://nginx.org/en/docs/quic.html . Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
nginx
CVE-2023-44487 Oct 10, 2023
HTTP/2 DoS via Stream Reset in nginx The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
nginx
CVE-2023-27730 Apr 09, 2023
Nginx NJS 0.7.10 SeGV via njs_lvlhsh_find (CVE-2023-27730) Nginx NJS v0.7.10 was discovered to contain a segmentation violation via the function njs_lvlhsh_find at src/njs_lvlhsh.c.
Njs
CVE-2023-27727 Apr 09, 2023
Nginx NJS 0.7.10: Segmentation Violation via njs_function_frame Nginx NJS v0.7.10 was discovered to contain a segmentation violation via the function njs_function_frame at src/njs_function.h.
Njs
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.