NGINX Plus Vulnerability - Code Execution Risk from MP4 Files
Basically, a flaw in NGINX can let bad actors run harmful code using special video files.
A new vulnerability in NGINX Plus and Open Source could allow attackers to execute code via malicious MP4 files. This high-severity flaw affects many systems, requiring urgent updates. Security teams must act quickly to mitigate risks and protect their infrastructure.
The Flaw
A critical vulnerability has been identified in both NGINX Plus and NGINX Open Source, tracked as CVE-2026-32647. This security issue is classified with a CVSS v4.0 score of 8.5, indicating a high severity level. The flaw arises from an out-of-bounds read vulnerability within the ngx_http_mp4_module. When attackers craft a malicious MP4 file, they can exploit this flaw to manipulate memory, potentially leading to denial-of-service (DoS) conditions or even remote code execution.
The vulnerability exists entirely within the application’s data plane, meaning it does not expose the control plane. This isolation can mislead some into thinking the risk is lower than it is. However, if exploited, it can disrupt active network traffic and compromise the underlying system.
What's at Risk
For NGINX instances to be vulnerable, they must have the ngx_http_mp4_module enabled and actively configured to process MP4 files. NGINX Plus automatically includes this module, making it inherently at risk. In contrast, NGINX Open Source users need to have explicitly compiled and enabled the module to be affected.
The potential impact of this vulnerability is significant. Attackers can not only cause service disruptions but could also execute arbitrary code on the host machine. This could allow them to gain unauthorized access or control over critical systems, leading to severe operational and security issues.
Patch Status
F5 has acknowledged the vulnerability and released patches for all affected product branches. Specifically, NGINX Plus versions R32 through R36 are vulnerable, with fixes available in R36 P3, R35 P2, and R32 P5. For NGINX Open Source, versions 1.1.19 through 1.29.6 are affected, with patches released in versions 1.28.3 and 1.29.7.
Organizations using these versions must prioritize updating their systems to mitigate the risk. F5 has also confirmed that other products, including BIG-IP, BIG-IQ, and F5 Distributed Cloud, are not affected by this vulnerability, which provides some relief to users of those systems.
Immediate Actions
Security teams are urged to update their NGINX deployments to the latest patched releases without delay. If immediate patching is not feasible, F5 recommends applying configuration-based mitigations. Administrators can disable the MP4 streaming module temporarily by modifying the primary configuration files located in the /etc/nginx directory.
To do this, they should comment out the server and location blocks utilizing the mp4 directive. After making these changes, it's crucial to validate the syntax using the command sudo nginx -t before reloading the service. This action will neutralize the attack vector while maintaining system integrity. Additionally, organizations should restrict media publishing rights to trusted users only, further reducing the risk of exploitation.
Cyber Security News