CVE-2021-23017

HIGH LAB

nginx 0.6.18-1.20.0 - Denial of Service via DNS Resolver Off-by-one Error

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 11 public exploits for CVE-2021-23017. PoCs published by Mohammed Alshehri, M507, 6lj.

AI-analyzed exploit summary This exploit leverages a DNS response parsing vulnerability in Nginx (CVE-2021-23017) to trigger a denial-of-service (DoS) condition. It performs ARP poisoning to intercept DNS traffic and crafts a malicious DNS response to exploit the flaw in Nginx's resolver.

Description

A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash or potential other impact.

Exploits (11)

exploitdb WORKING POC
by Mohammed Alshehri · pythonremotemultiple
https://www.exploit-db.com/exploits/50973

This exploit leverages a DNS response parsing vulnerability in Nginx (CVE-2021-23017) to trigger a denial-of-service (DoS) condition. It performs ARP poisoning to intercept DNS traffic and crafts a malicious DNS response to exploit the flaw in Nginx's resolver.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Nginx 0.6.18 - 1.20.0
No auth needed
Prerequisites: Nginx configured to use a resolver · Ability to intercept/modify DNS traffic (ARP poisoning) · Python with Scapy library
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 132 stars
by M507 · poc
https://github.com/M507/CVE-2021-23017-PoC

This PoC exploits CVE-2021-23017, a DNS cache poisoning vulnerability, by sending crafted DNS responses to a target. It uses ARP poisoning to intercept DNS traffic and injects malicious DNS replies to manipulate cache entries.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: DNS implementations vulnerable to cache poisoning (specific software not explicitly mentioned)
No auth needed
Prerequisites: Network access to the target · Ability to intercept DNS traffic (ARP poisoning) · Knowledge of the target's DNS server
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by 6lj · poc
https://github.com/6lj/EVIL-CVE-2021-23017-Update-2025

This repository contains functional exploit code for CVE-2021-23017, a DNS-related DoS vulnerability in NGINX servers (versions 0.6.18–1.20.0). The PoC sends malicious DNS responses with long domain names to crash the target NGINX server, with enhancements for firewall bypass and parallel execution.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: NGINX (versions 0.6.18–1.20.0)
No auth needed
Prerequisites: Same subnet as target for ARP spoofing or target must use attacker's DNS server IP · Python dependencies (scapy, requests) · dnsmasq setup
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by z3usx01 · poc
https://github.com/z3usx01/CVE-2021-23017-POC

This PoC exploits CVE-2021-23017, a 1-byte memory overwrite vulnerability in nginx's resolver when processing forged DNS responses. It uses ARP poisoning to intercept DNS traffic and crafts malicious DNS responses to trigger the vulnerability.

Classification
Working Poc 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: nginx (with resolver directive configured)
No auth needed
Prerequisites: Ability to forge UDP packets from the DNS server · nginx configured with resolver directive · Network access to intercept DNS traffic
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by lakshit1212 · poc
https://github.com/lakshit1212/CVE-2021-23017-PoC

This PoC exploits CVE-2021-23017, a DNS cache poisoning vulnerability in NXNSAttack, by crafting malicious DNS responses to poison the cache of a target DNS server. It uses ARP spoofing to intercept DNS queries and injects a spoofed response with a malicious payload.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: DNS servers vulnerable to NXNSAttack (e.g., dnsmasq before 2.83)
No auth needed
Prerequisites: Network access to the target DNS server · Ability to perform ARP spoofing · Target must be using a vulnerable DNS server
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec STUB 1 stars
by niandy · poc
https://github.com/niandy/nginx-patch

This repository contains Docker build files and configuration for a custom nginx image but lacks any exploit code or technical details related to CVE-2021-23017. It appears to be a placeholder or build environment rather than a functional PoC.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: nginx 1.15.x
No auth needed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
gitlab SCANNER
by niklasjanz · poc
https://gitlab.com/niklasjanz/omibus-check-for-cve-2021-23017

This repository provides a shell script to scan GitLab Omnibus installations for the presence of the vulnerable 'resolver' directive in NGINX configurations, which is indicative of CVE-2021-23017. It checks both configuration files and the running NGINX process for the directive.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: GitLab Omnibus with NGINX
No auth needed
Prerequisites: access to the target system's file system and NGINX process
devstral-2 · analyzed Feb 23, 2026 Full analysis →
nomisec SCANNER
by moften · poc
https://github.com/moften/CVE-2021-23017

This Python script checks for CVE-2021-23017 by sending an HTTP request with an overly long Host header to trigger a potential DNS buffer overflow in NGINX's resolver. It does not execute malicious code but scans for vulnerability indicators.

Classification
Scanner 90%
Attack Type
Dos
Complexity
Trivial
Reliability
Theoretical
Target: NGINX with resolver configured
No auth needed
Prerequisites: NGINX with resolver enabled · Network access to target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP
by Cybervixy · poc
https://github.com/Cybervixy/Vulnerability-Management

This repository contains a detailed vulnerability management report focusing on CVE-2021-23017, a buffer overflow in Nginx 1.15.5. It includes technical analysis, patch recommendations, and remediation steps, but does not provide functional exploit code.

Classification
Writeup 95%
Attack Type
Dos
Complexity
Moderate
Reliability
Theoretical
Target: Nginx 1.15.5
No auth needed
Prerequisites: Access to a vulnerable Nginx server · Ability to send crafted HTTP requests
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by lukwagoasuman · poc
https://github.com/lukwagoasuman/-home-lukewago-Downloads-CVE-2021-23017-Nginx-1.14

This PoC exploits CVE-2021-23017, a heap corruption vulnerability in Nginx 1.14, by crafting a malicious DNS response. The script listens on UDP port 1053 and responds with a specially crafted CNAME response to trigger the vulnerability.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Nginx 1.14
No auth needed
Prerequisites: Network access to the target Nginx server · Ability to intercept or spoof DNS responses
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by ShivamDey · poc
https://github.com/ShivamDey/CVE-2021-23017

This PoC exploits CVE-2021-23017, a DNS cache poisoning vulnerability in NXNSAttack, by crafting malicious DNS responses to poison the cache of a target DNS server. It uses ARP spoofing to intercept DNS queries and injects a malicious payload into the DNS response.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: DNS servers vulnerable to NXNSAttack (e.g., dnsmasq before 2.83)
No auth needed
Prerequisites: Network access to the target DNS server · Ability to intercept DNS traffic (e.g., via ARP spoofing)
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (14)

Core 14
Core References
Vendor Advisory x_refsource_misc
https://support.f5.com/csp/article/K12331123%2C
Mailing List, Patch, Vendor Advisory x_refsource_misc
http://mailman.nginx.org/pipermail/nginx-announce/2021/000300.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2021.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20210708-0006/
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2022.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2022.html

Scores

CVSS v3 7.7
EPSS 0.7317
EPSS Percentile 98.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

Lab Environment

COMMUNITY
Community Lab
docker pull quay.io/kubernetes-ingress-controller/debian-base-amd64:0.1
+6 more repos

Details

CWE
CWE-193
Status published
Products (25)
f5/nginx 0.6.18 - 1.20.1
fedoraproject/fedora 33
fedoraproject/fedora 34
netapp/ontap_select_deploy_administration_utility
openresty/openresty < 1.19.3.2
oracle/blockchain_platform < 21.1.2
oracle/communications_control_plane_monitor 3.4
oracle/communications_control_plane_monitor 4.2
oracle/communications_control_plane_monitor 4.3
oracle/communications_control_plane_monitor 4.4
... and 15 more
Published Jun 01, 2021
Tracked Since Feb 18, 2026