K000139612: NGINX HTTP/3 QUIC vulnerability CVE-2024-35200

Security Advisory Description When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate. (CVE-2024-35200) Note: This issue affects NGINX systems compiled with the ngx_http_v3_module module, where the configuration contains a listen directive with the quic option enabled. The HTTP/3 QUIC module is considered an experimental feature and is not compiled by default in NGINX OSS, but it is compiled by default in NGINX Plus. For more information, refer to Support for QUIC and HTTP/3. Impact Client traffic may be disrupted while the worker process restarts. This vulnerability allows a remote unauthenticated attacker to cause a denial-of-service (DoS). There is no control plane exposure; this is a data plane issue…Read More