Impact
NGINX Plus and NGINX Open Source exhibit a heap buffer over-read in the ngx_http_charset_module when a location block contains both a source_charset utf-8 directive and another charset directive such as charset koi8-r. Remote, unauthenticated attackers can craft HTTP requests that trigger this condition, allowing them to read portions of the worker process memory or cause the process to restart. The attack does not require authentication and leverages an existing server configuration flaw, but it relies on the attacker being able to send requests to the affected location and to configure conflicting charset settings in the server.
Affected Systems
Both F5 NGINX Open Source and F5 NGINX Plus are affected. The vulnerability is present in any supported release of these products; specific vulnerable version ranges were not provided, and releases that have reached End of Technical Support are not evaluated.
Risk and Exploitability
The CVSS score of 6.3 indicates a moderate severity, and the EPSS score of less than 1 % implies that exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog, suggesting no known public exploitation. Exploitability is remote, triggered by HTTP requests to a location block with conflicting charset directives, and requires no credentials or privileged access. Attackers could achieve memory disclosure, potentially exposing sensitive information, or cause denial‑of‑service by restarting the NGINX worker process.
OpenCVE Enrichment
Debian DLA
Debian DSA
Ubuntu USN