NGINX
NGINX is an HTTP server, reverse proxy, and load balancer. It is widely deployed as a frontend for application servers and as a TLS termination point. F5 Networks acquired nginx Inc. in 2019, after which NVD retagged most historical CVEs from the nginx:nginx namespace to f5:nginx. Attestd queries both namespaces to ensure complete coverage across all versions.
Querying NGINX
nginx1.27.4, 1.20.0, 1.24.0curl "https://api.attestd.io/v1/check?product=nginx&version=1.20.0" \
-H "Authorization: Bearer $ATTESTD_KEY"NGINX 1.20.0 is affected by CVE-2021-23017 (DNS resolver off-by-one write). The response shows risk_state: "high" because the CVE is remotely exploitable without authentication, but has not been added to the CISA KEV catalog.
{
"product": "nginx",
"version": "1.20.0",
"supported": true,
"risk_state": "high",
"risk_factors": [
"remote_code_execution",
"no_authentication_required",
"internet_exposed_service",
"patch_available"
],
"actively_exploited": false,
"remote_exploitable": true,
"authentication_required": false,
"patch_available": true,
"fixed_version": "1.24.0",
"confidence": 0.88,
"cve_ids": ["CVE-2021-23017"],
"last_updated": "2026-02-23T18:21:30Z"
}NGINX 1.27.4 is the current stable release and has no known relevant vulnerabilities at the time of the last synthesis run.
curl "https://api.attestd.io/v1/check?product=nginx&version=1.27.4" \
-H "Authorization: Bearer $ATTESTD_KEY"CVE history
NGINX vulnerabilities cluster around three subsystems: the DNS resolver, HTTP/2 implementation, and optional media processing modules (mp4, image filter). The core HTTP/1.1 path has a strong security track record.
| CVE | Description | Affects | CVSS |
|---|---|---|---|
CVE-2021-23017 | Off-by-one error in the DNS resolver when processing oversized DNS responses. Allows heap write to attacker-controlled location. Requires the nginx resolver directive to be in use. | 0.6.18 to 1.20.0 | 7.7 |
CVE-2019-9511 | HTTP/2 data dribble attack. Remote attacker can force the server to queue large amounts of data by manipulating window sizes and stream priorities, consuming CPU and memory. | 1.9.5+ | 7.5 |
CVE-2019-9513 | HTTP/2 resource loop. Attacker sends requests that continuously reconfigure HTTP/2 stream priority trees, causing excessive CPU use and denial of service. | 1.9.5+ | 7.5 |
CVE-2022-41741 | Heap memory corruption in the NGINX mp4 module when processing specially crafted MP4 files. Can lead to code execution or crash. Only affects installations with the mp4 module compiled in. | 1.1.3 to 1.22.x | 7.8 |
CVE-2022-41742 | Memory disclosure via the mp4 module. A crafted MP4 file causes the worker process to read memory outside the intended buffer. Companion to CVE-2022-41741. | 1.1.3 to 1.22.x | 7.1 |
Post-acquisition namespace handling
F5 acquired nginx Inc. in 2019. NVD retagged most historical CVEs from the nginx:nginx CPE to f5:nginx. Some pre-2019 CVEs remain under the original namespace. Attestd queries both and merges on CVE ID:
cpe:2.3:a:f5:nginx2019 and later (post-acquisition)cpe:2.3:a:nginx:nginxPre-2019 (some records remain here)