CVE-2009-2629

nginx <0.5.37, <0.6.39, <0.7.62, <0.8.15 - RCE

Title source: llm

Description

Buffer underflow in src/http/ngx_http_parse.c in nginx 0.1.0 through 0.5.37, 0.6.x before 0.6.39, 0.7.x before 0.7.62, and 0.8.x before 0.8.15 allows remote attackers to execute arbitrary code via crafted HTTP requests.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Aaron Conole · pythonlocallinux

https://www.exploit-db.com/exploits/14830

View Code ZIP pw:eip

References (10)

[Release Notes, Vendor Advisory] http://nginx.net/CHANGES

[Release Notes, Vendor Advisory] http://nginx.net/CHANGES-0.5

[Release Notes, Vendor Advisory] http://nginx.net/CHANGES-0.6

[Release Notes, Vendor Advisory] http://nginx.net/CHANGES-0.7

[Broken Link] http://sysoev.ru/nginx/patch.180065.txt

[Third Party Advisory] http://www.debian.org/security/2009/dsa-1884

[Third Party Advisory, US Government Resource] http://www.kb.cert.org/vuls/id/180065

[Third Party Advisory] https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00428.html

[Third Party Advisory] https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00442.html

[Third Party Advisory] https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00449.html

Scores

EPSS 0.8076

EPSS Percentile 99.1%

Classification

CWE

CWE-787

Status draft

Affected Products (7)

f5/nginx < 0.5.38

debian/debian_linux

fedoraproject/fedora

Timeline

Published Sep 15, 2009

Tracked Since Feb 18, 2026