5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
7.2 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.5%
Security Advisory Description
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed HTTP/3 requests can cause NGINX worker processes to terminate. (CVE-2024-35200)
Note: This issue affects NGINX systems compiled with thengx_http_v3_modulemodule, where the configuration contains alistendirective with thequic option enabled. The HTTP/3 QUIC module is considered an experimental feature and is not compiled by default in NGINX OSS, but it is compiled by default in NGINX Plus. For more information, refer to Support for QUIC and HTTP/3.
Impact
Client traffic may be disrupted while the worker process restarts. This vulnerability allows a remote unauthenticated attacker to cause a denial-of-service (DoS). There is no control plane exposure; this is a data plane issue only.
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
7.2 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.5%