Critical NGINX vulnerability discovered: hackers can attempt to crash servers or even gain code execution
NGINX is critically vulnerable for a second time this year.

Image by Cybernews.
NGINX, one of the most common components of modern web infrastructure, contains a critical vulnerability that allows attackers to crash servers and, in certain cases, gain remote code execution.
F5, the owner of NGINX, has released a second “major” severity advisory this year, urging admins to take prompt action and apply critical updates.
The bug affects both NGINX Plus and the open-source version. This widely deployed application delivery software serves as a reverse proxy and load balancer across many modern web environments.
The critical vulnerability lies specifically in the map directive. Admins use it to check incoming requests against a set of matching rules and generate corresponding values that NGINX later uses downstream when deciding how to handle or route those requests.
The issue occurs when the map directive uses regular expression matching and processes data in an unsafe order. NGINX, due to a bug, will use an incomplete result while processing the request.
Stay updated with our latest stories and follow us on social media
Be the first to discover new stories, ideas, and updates from our team.
Hackers can exploit this behavior by sending specifically crafted HTTP requests that will cause NGINX to process invalid data, leading to a heap buffer overflow. Ultimately, this results in an NGINX worker process crashing and restarting.
“This vulnerability may allow remote attackers to cause a denial-of-service (DoS) on the NGINX system or to possibly trigger a code execution,” F5 warns in the advisory.
Code execution can be achieved on systems with Address Space Layout Randomization (ASLR) disabled, which is not the default configuration, or when the attacker can bypass it.
Attackers cannot control the server configuration, meaning they must either first identify vulnerable systems or rely on opportunistic attacks.
Check if your data has been leaked
“An unauthenticated attacker, along with conditions beyond their control, can exploit this vulnerability by sending crafted HTTP requests,” the advisory reads.
F5 explicitly stated that its major product lines, such as BIG-IP and its cloud services, are unaffected by the bug.
The advisory urges administrators running vulnerable NGINX versions to install a safe version. Until the fix is applied, admins can also reduce their risk by adjusting how they write map rules.
F5 credited multiple security researchers for discovering and reporting the flaw, indicating that it might have been reproduced by several groups and is widely known within the security community.
The latest NGINX updates also fix two other medium-severity vulnerabilities.
This is a second major alert over a critical NGINX vulnerability this year. A previously disclosed critical vulnerability that remained undiscovered for 18 years enabled hackers to crash servers with ease, and it quickly became actively exploited in the wild.