Vulnerability Note VU#180065

Nginx ngx_http_parse_complex_uri() buffer underflow vulnerability

Original Release date: 15 Sep 2009 | Last revised: 21 Sep 2009


A vulnerability in the nginx web server may allow remote attackers to execute arbitrary code on an affected system.


nginx is an HTTP server and mail proxy server that is available for a number of different platforms. A buffer underflow vulnerability exists in the ngx_http_parse_complex_uri() function when handling specially crafted URIs. Exploitation of this vulnerability would cause the nginx server to write data contained in the URI to heap memory before the allocated buffer.


As with a number of other web servers, nginx is designed to operate with a single privileged master process and multiple unprivileged worker processes handling specific requests. A remote, unauthenticated attacker may be able to execute arbitrary code in the context of the worker process or cause the worker process to crash, resulting in a denial of service.


Upgrade or apply a patch

Updated versions of the nginx package have been released to address this issue. Users should consult the Systems Affected section of this document for information about specific vendors.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Debian GNU/LinuxAffected05 Sep 200914 Sep 2009
Gentoo LinuxAffected05 Sep 200921 Sep 2009
nginxAffected-15 Sep 2009
Sun Microsystems, Inc.Not Affected05 Sep 200909 Sep 2009
SUSE LinuxNot Affected05 Sep 200908 Sep 2009
The SCO GroupNot Affected05 Sep 200908 Sep 2009
Apple Inc.Unknown05 Sep 200906 Sep 2009
Conectiva Inc.Unknown05 Sep 200906 Sep 2009
Cray Inc.Unknown05 Sep 200906 Sep 2009
DragonFly BSD ProjectUnknown05 Sep 200906 Sep 2009
EMC CorporationUnknown05 Sep 200906 Sep 2009
Engarde Secure LinuxUnknown05 Sep 200906 Sep 2009
F5 Networks, Inc.Unknown05 Sep 200906 Sep 2009
Fedora ProjectUnknown05 Sep 200906 Sep 2009
FreeBSD, Inc.Unknown05 Sep 200906 Sep 2009
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A


  • None


Thanks to Chris Ries of the Carnegie Mellon University Information Security Office for reporting this vulnerability.

This document was written by Chad R Dougherty.

Other Information

  • CVE IDs: CVE-2009-2629
  • Date Public: 14 Sep 2009
  • Date First Published: 15 Sep 2009
  • Date Last Updated: 21 Sep 2009
  • Severity Metric: 4.22
  • Document Revision: 8


If you have feedback, comments, or additional information about this vulnerability, please send us email.