CVE-2024-31079 MEDIUM

CVE-2024-31079: NGINX HTTP/3 QUIC vulnerability

Vendor F5

Product NGINX Open Source

Weakness CWE-121

Published May 29, 2024

Last update February 13, 2025

View on NVD All CVEs

CVSS base score

4.8/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

What the vulnerability does

Description

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate or cause other potential impact. This attack requires that a request be specifically timed during the connection draining process, which the attacker has no visibility and limited influence over.

Key dates

Disclosure timeline

May 29, 2024 CVE published

February 13, 2025 Record updated

Identifiers

CVE CVE-2024-31079

CWE CWE-121

CVSS 4.8 / MEDIUM

Affected versions

Vendor F5

Product NGINX Open Source

Affected ≥ 1.25.0 and < 1.26.1

Vendor F5

Product NGINX Plus

Affected ≥ R30 and < R32