Tell HN: A new Nginx 0-day just dropped
2 comments
>> If you use Nginx 1.31 with QUIC enabled, we recommend upgrading to the latest version.
QUIC isn't enabled by default.
QUIC isn't enabled by default.
Going to assume that this RCE is being actively exploited right now.
A "major" rating seems appropriate for this. If this didn't require QUIC and it was the default config then that would be far worse situation.
Still a serious 0day.
A "major" rating seems appropriate for this. If this didn't require QUIC and it was the default config then that would be far worse situation.
Still a serious 0day.
To check if your server is impacted:
Immediate action:
Shameless plug: this is the second nginx RCE 0-day we found in a month, using our security agent VEGA. (see our first nginx RCE at https://x.com/nebusecurity/status/2057071579876753643). We'll be doing an HN launch, but wanted to get the word out about this RCE sooner.
In the meantime, if you are interesting in trying VEGA on your codebase, reach out at [email protected].