Is nginx vulnerable to the Hash Table Vulnerability (n.runs AG)?

Maxim Dounin mdounin at
Sun Jan 1 00:34:57 UTC 2012


On Sat, Dec 31, 2011 at 11:37:39AM -0700, Justin Hart wrote:

> Without going through the way nginx parses an incoming request, I'm unsure
> if nginx isn't vulnerable to this, because of the availability to grab the
> value of a GET parameter via
>  My hope is that
> especially if an $arg_PARAMETER isn't used in the config, it is not
> vulnerable because it wouldn't even attempt to parse the parameters, but I
> can't be sure.
> Can anyone speak to this?

It's not vulnerable even if $arg_* is used.

Maxim Dounin

More information about the nginx mailing list