First published: Wed May 29 2024(Updated: )
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate.
Credit: f5sirt@f5.com
Affected Software | Affected Version | How to fix |
---|---|---|
NGINX Plus | ||
NGINX Open Source | ||
Nginx | >=1.25.0<1.26.1 | |
Nginx | =r30 | |
Nginx | =r30-p1 | |
Nginx | =r30-p2 | |
Nginx | =r31 | |
Nginx | =r31-p1 | |
Fedora | =39 | |
Fedora | =40 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2024-35200 is considered a critical vulnerability as it can cause NGINX worker processes to terminate when handling specific HTTP/3 requests.
To mitigate CVE-2024-35200, it is recommended to upgrade NGINX Plus to a version higher than r31-p1 and NGINX OSS to a version above 1.26.1.
CVE-2024-35200 affects NGINX Plus r30, r30-p1, r30-p2, and r31, as well as NGINX OSS versions from 1.25.0 up to 1.26.1.
CVE-2024-35200 specifically impacts configurations using the HTTP/3 QUIC module in NGINX.
Yes, CVE-2024-35200 can cause unexpected termination of NGINX worker processes, leading to possible service disruption.