nginx security advisory (CVE-2024-24989, CVE-2024-24990)

Sergey Kandaurov pluknet at nginx.com
Wed Feb 14 17:00:03 UTC 2024


Two security issues were identified in nginx HTTP/3 implementation,
which might allow an attacker that uses a specially crafted QUIC session
to cause a worker process crash (CVE-2024-24989, CVE-2024-24990) or
might have potential other impact (CVE-2024-24990).

The issues affect nginx compiled with the ngx_http_v3_module (not
compiled by default) if the "quic" option of the "listen" directive
is used in a configuration file.

The issue affects nginx 1.25.0 - 1.25.3.
The issue is fixed in nginx 1.25.4.


-- 
Sergey Kandaurov


More information about the nginx mailing list