CVE-2024-32760 MEDIUM

CVE-2024-32760: NGINX HTTP/3 QUIC vulnerability

Vendor F5

Product NGINX Open Source

Weakness CWE-787

Published May 29, 2024

Last update February 13, 2025

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

What the vulnerability does

Description

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 encoder instructions can cause NGINX worker processes to terminate or cause or other potential impact.

Key dates

Disclosure timeline

May 29, 2024 CVE published

February 13, 2025 Record updated

Identifiers

CVE CVE-2024-32760

CWE CWE-787

CVSS 6.5 / MEDIUM

Affected versions

Vendor F5

Product NGINX Open Source

Affected ≥ 1.25.0 and < 1.26.1

Vendor F5

Product NGINX Plus

Affected ≥ R30 and < R32