NGINX Open Source HTTP/2 Proxy Vulnerability Allowing Frame Header Injection

A vulnerability exists in NGINX Open Source versions 1.29.4 to 1.30.0, specifically within the ngx_http_proxy_v2_module. When configured to proxy HTTP/2 traffic and using the proxy_set_body directive, an attacker may inject HTTP/2 frame headers and payload bytes into the upstream connection. This injection can disrupt the synchronization between NGINX and the upstream HTTP/2 peer, leading to potential data handling issues.

Impact

Exploitation allows for the injection of arbitrary HTTP/2 frame headers and payload bytes into the upstream connection, causing desynchronization between NGINX and the upstream HTTP/2 peer.

Remediation

To address this vulnerability, users should upgrade to NGINX versions 1.31.0 or 1.30.1. If using NGINX Instance Manager, upgrade to version 2.21.2 or later. For NGINX Gateway Fabric, version 2.6.1 or later is recommended. Additionally, ensure that the proxy_set_body argument does not exceed 16MiB, which may require adjusting large_client_header_buffers, client_body_buffer_size, or client_max_body_size. As a further precaution, switch the proxy_http_version directive to a version other than 2.