Primary

Context

F5 BIG-IP Advanced WAF and NGINX App Protect Server-Side Request Forgery Vulnerability Leading to Denial-of-Service

Vulnerability

Patched

A denial-of-service vulnerability has been identified in F5 BIG-IP Advanced WAF and NGINX App Protect. When BIG-IP Advanced WAF is set up on a virtual server with server-side request forgery (SSRF) protection, or when an NGINX server uses App Protect Bot Defense, undisclosed requests can interfere with new client requests. This disruption allows a remote, unauthenticated attacker to cause a denial-of-service condition on the affected system.

Impact

Exploitation of this vulnerability disrupts traffic for new client requests, causing a denial-of-service condition on the impacted system.

Remediation

Users can upgrade to BIG-IP versions 17.5.0 or 17.1.2 to address this vulnerability. For NGINX App Protect, version 4.7.0 or 5.0.0 should be installed.

Added: Oct 15, 2025, 2:28 PM

Updated: Oct 15, 2025, 2:28 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

7.6

remediation

7.7

relevance

0.8

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

7.6

remediation

7.7

relevance

0.8

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

F5 BIG-IP Advanced WAF and NGINX App Protect Server-Side Request Forgery Vulnerability Leading to Denial-of-Service

Vulnerability

Impact

Remediation

Affected Products

F5 BIG-IP Advanced WAF

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating