Openresty
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Openresty product.
RSS Feeds for Openresty security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Openresty products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Openresty Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 0 vulnerabilities in Openresty. Last year, in 2025 Openresty had 1 security vulnerability published. Right now, Openresty is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 1 | 0.00 |
| 2024 | 1 | 0.00 |
| 2023 | 1 | 7.50 |
| 2022 | 0 | 0.00 |
| 2021 | 2 | 6.50 |
| 2020 | 1 | 0.00 |
| 2019 | 0 | 0.00 |
| 2018 | 1 | 9.80 |
It may take a day or so for new Openresty vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Openresty Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2024-33452 | Apr 22, 2025 |
OpenResty lua-nginx-module <=0.10.26: HTTP Request Smuggling via HEADAn issue in OpenResty lua-nginx-module v.0.10.26 and before allows a remote attacker to conduct HTTP request smuggling via a crafted HEAD request. |
Lua Nginx Module
|
| CVE-2024-39702 | Jul 23, 2024 |
OpenResty 1.19.3.11.25.3.1 HashDoS via lj_str_hash.cIn lj_str_hash.c in OpenResty 1.19.3.1 through 1.25.3.1, the string hashing function (used during string interning) allows HashDoS (Hash Denial of Service) attacks. An attacker could cause excessive resource usage during proxy operations via crafted requests, potentially leading to a denial of service with relatively few incoming requests. This vulnerability only exists in the OpenResty fork in the openresty/luajit2 GitHub repository. The LuaJIT/LuaJIT repository. is unaffected. |
Openresty
|
| CVE-2023-44487 | Oct 10, 2023 |
HTTP/2 DoS via Stream Reset in nginxThe HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
Openresty
|
| CVE-2021-23017 | Jun 01, 2021 |
A security issue in nginx resolver was identified, which mightA security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash or potential other impact. |
Openresty
|
| CVE-2020-36309 | Apr 06, 2021 |
ngx_http_lua_module (aka lua-nginx-module) before 0.10.16 in OpenRestyngx_http_lua_module (aka lua-nginx-module) before 0.10.16 in OpenResty allows unsafe characters in an argument when using the API to mutate a URI, or a request or response header. |
Lua Nginx Module
|
| CVE-2020-11724 | Apr 12, 2020 |
An issue was discovered in OpenResty before 1.15.8.4An issue was discovered in OpenResty before 1.15.8.4. ngx_http_lua_subrequest.c allows HTTP request smuggling, as demonstrated by the ngx.location.capture API. |
Openresty
|
| CVE-2018-9230 | Apr 02, 2018 |
In OpenResty through 1.13.6.1, URI parameters are obtained using the ngx.req.get_uri_args and ngx.req.get_post_args functionsIn OpenResty through 1.13.6.1, URI parameters are obtained using the ngx.req.get_uri_args and ngx.req.get_post_args functions that ignore parameters beyond the hundredth one, which might allow remote attackers to bypass intended access restrictions or interfere with certain Web Application Firewall (ngx_lua_waf or X-WAF) products. NOTE: the vendor has reported that 100 parameters is an intentional default setting, but is adjustable within the API. The vendor's position is that a security-relevant misuse of the API by a WAF product is a vulnerability in the WAF product, not a vulnerability in OpenResty |
Openresty
|