Description
Buffer underflow in src/http/ngx_http_parse.c in nginx 0.1.0 through 0.5.37, 0.6.x before 0.6.39, 0.7.x before 0.7.62, and 0.8.x before 0.8.15 allows remote attackers to execute arbitrary code via crafted HTTP requests.
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by Aaron Conole · pythonlocallinux
https://www.exploit-db.com/exploits/14830
References (10)
Core 10
Core References
Third Party Advisory, US Government Resource third-party-advisory
x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/180065
Third Party Advisory vendor-advisory
x_refsource_fedora
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00428.html
Release Notes, Vendor Advisory x_refsource_confirm
http://nginx.net/CHANGES-0.7
Release Notes, Vendor Advisory x_refsource_confirm
http://nginx.net/CHANGES
Broken Link x_refsource_confirm
http://sysoev.ru/nginx/patch.180065.txt
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2009/dsa-1884
Third Party Advisory vendor-advisory
x_refsource_fedora
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00442.html
Third Party Advisory vendor-advisory
x_refsource_fedora
https://www.redhat.com/archives/fedora-package-announce/2009-December/msg00449.html
Release Notes, Vendor Advisory x_refsource_confirm
http://nginx.net/CHANGES-0.5
Release Notes, Vendor Advisory x_refsource_confirm
http://nginx.net/CHANGES-0.6
Scores
EPSS
0.7810
EPSS Percentile
99.0%
Details
CWE
CWE-787
Status
published
Products (7)
debian/debian_linux
4.0
debian/debian_linux
5.0
debian/debian_linux
6.0
f5/nginx
0.1.0 - 0.5.38
fedoraproject/fedora
10
fedoraproject/fedora
11
fedoraproject/fedora
12
Published
Sep 15, 2009
Tracked Since
Feb 18, 2026