Nginx is the world's second most popular web server and the leading reverse proxy. Its reputation for lightness and performance is well-earned, but like any critical internet-exposed software, Nginx accumulates vulnerabilities that require regular monitoring.
CVE-2021-23017: Buffer Overwrite in DNS Resolver (CVSS 7.7)
The Nginx DNS Vulnerability
In May 2021, a vulnerability in Nginx's DNS resolver — the component that resolves domain names for proxy configurations. By crafting a malicious DNS response, an attacker could trigger a one-byte overwrite in Nginx's process memory.
Exploitation conditions:
resolverconfigured in nginx.conf (not enabled by default)- The attacker must control or intercept DNS responses
# Vulnerable configuration
resolver 8.8.8.8 valid=300s;
resolver_timeout 5s;
Affected versions: Nginx 0.6.18 through 1.20.0
CVE-2022-41741 and CVE-2022-41742: ngx_http_mp4_module (CVSS 8.1)
Two vulnerabilities in the ngx_http_mp4_module (MP4 file processing for video on demand):
- CVE-2022-41741: Memory corruption potentially enabling code execution via a crafted MP4 file
- CVE-2022-41742: Out-of-bounds memory read via a crafted MP4 file
These CVEs are only exploitable if mp4 is configured in nginx.conf — a module disabled by default but often enabled in video streaming configurations.
Common Dangerous Nginx Configurations
Most Nginx security issues come from configuration, not the engine itself.
Alias Path Traversal
# VULNERABLE — path traversal possible
location /static {
alias /var/www/files/;
}
# /static../etc/passwd → reads /var/www/files/../etc/passwd = /etc/passwd
# CORRECT — use root or add trailing /
location /static/ {
alias /var/www/files/;
}
Sensitive File Exposure
# DANGEROUS — exposes backup and config files
location / {
root /var/www/html;
}
# Accessible: /backup.sql, /.env, /config.php.bak
# CORRECT — block sensitive extensions
location ~* \.(env|sql|bak|conf|ini|log|sh|git)$ {
deny all;
return 404;
}
Publicly Accessible Status Page
# DANGEROUS — reveals active connections
location /nginx_status {
stub_status on;
}
# CORRECT
location /nginx_status {
stub_status on;
allow 127.0.0.1;
deny all;
}
Securing Nginx
1. Update Nginx
# Check version
nginx -v
# Update Debian/Ubuntu
apt-get update && apt-get upgrade nginx
# Update CentOS/RHEL
yum update nginx
2. Secure Base Configuration
# nginx.conf — global security settings
http {
# Hide Nginx version
server_tokens off;
# Timeouts to prevent slow attacks
client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 5 5;
send_timeout 10;
# Limit request size
client_max_body_size 10m;
client_body_buffer_size 128k;
# Clickjacking and XSS protection
add_header X-Frame-Options SAMEORIGIN always;
add_header X-Content-Type-Options nosniff always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
}
3. Secure TLS Configuration
server {
listen 443 ssl http2;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# Secure protocols only
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
}
4. Rate Limiting to Prevent Attacks
# Define a rate limiting zone
limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
server {
location /api/ {
limit_req zone=api burst=20 nodelay;
limit_req_status 429;
}
}
5. Block Sensitive Paths
# Block access to sensitive files and directories
location ~ /\. {
deny all;
}
location ~* \.(env|sql|bak|conf|ini|log|sh)$ {
deny all;
return 404;
}
Check Nginx CVEs on cveo.tech — search for nginx to see the complete vulnerability history referenced by the NVD.