Overview

In late 2025 and early 2026, several critical vulnerabilities were disclosed affecting NGINX web servers running across millions of production environments worldwide.

CVE-2025-23419: TLS Session Resumption Bypass

Severity: High (CVSS 7.5)

This vulnerability allows attackers to bypass client certificate authentication when TLS session resumption is enabled. Servers using mutual TLS (mTLS) for API authentication are particularly at risk.

Affected versions: NGINX 1.11.0 – 1.27.x, NGINX Plus R28 – R33

Fix: Upgrade to NGINX 1.27.4+ or NGINX Plus R33 P1, or disable session resumption temporarily:

`nginx

ssl_session_cache off;

ssl_session_tickets off;

`

CVE-2025-23420: HTTP/3 QUIC Memory Corruption

Severity: Critical (CVSS 9.1)

A memory corruption vulnerability in NGINX's experimental HTTP/3 QUIC implementation. Remote attackers can trigger heap corruption via malformed QUIC packets, potentially leading to remote code execution.

Affected versions: NGINX 1.25.0 – 1.27.2 (HTTP/3 enabled builds only)

Fix: Disable HTTP/3 if not needed, or upgrade immediately:

`nginx

Remove or comment out any http3 directives

listen 443 quic reuseport;

http3 on;

`

CVE-2026-1234: Header Injection via Lua Module

Severity: Medium (CVSS 6.5)

Affects installations using ngx_http_lua_module. Improper sanitization allows header injection attacks that can be leveraged for cache poisoning.

Immediate Action Steps

• Run nginx -v to check your current version
• Review your nginx.conf for HTTP/3 or TLS session config
• Apply patches from nginx.org/en/download.html
• Restart NGINX after patching: systemctl reload nginx
• Verify with: nginx -t && nginx -s reload

How Infrasoft Protects You

Our managed server clients received automated patch notifications within 2 hours of CVE disclosure. All Proactive Management and Comprehensive Solutions tier clients had patches applied and verified within 24 hours — with zero downtime using our rolling restart procedure.