Updated: 2025-08-20 02:28:59.62022
Description:
NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to corrupt NGINX worker memory, resulting in its termination or potential other impact using a specially crafted audio or video file. The issue affects only NGINX products that are built with the ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | 0.0 | |
| CVSS Version 3.x | HIGH | 7.8 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| AlmaLinux 9.2 ESU | nginx | 1.20.1 | 7.8 | HIGH | Released | CLSA-2025:1753207126 | 2025-07-23 02:14:08 | |
| CentOS 6 ELS | nginx | 1.10.3 | 7.8 | HIGH | Released | CLSA-2022:1669066613 | 2022-11-30 19:51:08 | |
| CentOS 7 ELS | nginx | 1.20.1 | 7.8 | HIGH | Already Fixed | 2024-04-19 09:59:19 | ||
| CentOS 8.4 ELS | nginx | 1.14.1-9 | 7.8 | HIGH | Released | CLSA-2022:1669065236 | 2022-11-21 16:21:52 | |
| CentOS 8.5 ELS | nginx | 1.14.1-9 | 7.8 | HIGH | Released | CLSA-2022:1669065389 | 2022-11-21 16:21:52 | |
| CloudLinux 6 ELS | nginx | 1.10.3 | 7.8 | HIGH | Released | CLSA-2022:1669068605 | 2022-11-21 20:16:20 | |
| Debian 10 ELS | nginx | 1.14.2 | 7.8 | HIGH | Already Fixed | 2025-11-03 17:21:00 | ||
| Oracle Linux 6 ELS | nginx | 1.10.3 | 7.8 | HIGH | Released | CLSA-2022:1669065718 | 2022-11-21 20:16:20 | |
| Ubuntu 16.04 ELS | nginx | 1.10.3-0 | 7.8 | HIGH | Released | CLSA-2022:1669065608 | 2022-11-21 16:21:52 | |
| Ubuntu 18.04 ELS | nginx | 1.14.0-0 | 7.8 | HIGH | Already Fixed | 2023-06-02 09:09:39 |