Tell HN: A new Nginx 0-day just dropped

Nebula Security disclosed a new Nginx remote code execution 0-day affecting Fortune 500 companies. The vulnerability impacts Nginx Open Source versions 1.31.0 and 1.31.1 with HTTP/3 or QUIC enabled. Users are urged to upgrade to version 1.31.2 or disable QUIC immediately.

| |||||||||||| 7 points by | We Nebula Security just dropped a nginx remote code execution 0-day. This vulnerability affect dozens of fortune 500 companies and we disclosed to nginx team immediately. This 0-day is the third nginx bug that receives "major" rating since 2014. To check if your server is impacted: 1. You are running NGINX Open Source v1.31.0 or v1.31.1 2. Your NGINX configuration enables HTTP/3 / QUIC Immediate action: 1. Upgrade NGINX to v1.31.2 or later 2. If you cannot upgrade immediately, disable QUIC / HTTP/3 until you can patch Shameless plug: this is the second nginx RCE 0-day we found in a month, using our security agent VEGA. see our first nginx RCE at In the meantime, if you are interesting in trying VEGA on your codebase, reach out at etenz@nebusec.ai. | ||||||||||| |