Tell HN: A new Nginx 0-day just dropped

We (Nebula Security) just dropped a nginx remote code execution 0-day. This vulnerability affect dozens of fortune 500 companies and we disclosed to nginx team immediately. This 0-day is the third nginx bug that receives "major" rating since 2014. (https://x.com/nebusecurity/status/2067623683427045541)

To check if your server is impacted:

  1. You are running NGINX Open Source v1.31.0 or v1.31.1

  2. Your NGINX configuration enables HTTP/3 / QUIC
Immediate action:

  1. Upgrade NGINX to v1.31.2 or later
  
  2. If you cannot upgrade immediately, disable QUIC / HTTP/3 until you can patch
Shameless plug: this is the second nginx RCE 0-day we found in a month, using our security agent VEGA. (see our first nginx RCE at https://x.com/nebusecurity/status/2057071579876753643). We'll be doing an HN launch, but wanted to get the word out about this RCE sooner.

In the meantime, if you are interesting in trying VEGA on your codebase, reach out at etenz@nebusec.ai.

9 points | by etenal 23 hours ago

2 comments

  • hobonation 25 minutes ago
    >> If you use Nginx 1.31 with QUIC enabled, we recommend upgrading to the latest version.

    QUIC isn't enabled by default.

  • rvz 55 minutes ago
    Going to assume that this RCE is being actively exploited right now.

    A "major" rating seems appropriate for this. If this didn't require QUIC and it was the default config then that would be far worse situation.

    Still a serious 0day.