CVE-2020-36309 Overview
CVE-2020-36309 is an input validation vulnerability affecting ngx_http_lua_module (also known as lua-nginx-module) before version 0.10.16 in OpenResty. The vulnerability allows unsafe characters in an argument when using the API to mutate a URI, or a request or response header, potentially enabling header injection or request manipulation attacks.
Critical Impact
Attackers can inject unsafe characters through the lua-nginx-module API when modifying URIs or HTTP headers, potentially leading to HTTP header injection, request smuggling, or response splitting attacks.
Affected Products
- OpenResty lua-nginx-module versions prior to 0.10.16
Discovery Timeline
- 2021-04-06 - CVE CVE-2020-36309 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2020-36309
Vulnerability Analysis
This vulnerability stems from insufficient input validation in the lua-nginx-module's API functions responsible for URI and HTTP header manipulation. When developers use the module's API to dynamically modify request URIs, request headers, or response headers, the module fails to properly sanitize or reject unsafe characters. This inadequate character validation creates an integrity issue where malicious actors can inject control characters or special sequences that alter the intended behavior of HTTP requests and responses.
The vulnerability is exploitable over the network without requiring authentication or user interaction, making it accessible to remote attackers. While the impact is limited to integrity concerns (no direct confidentiality breach or denial of service), successful exploitation could enable HTTP response splitting, header injection attacks, or cache poisoning scenarios depending on the application context.
Root Cause
The root cause is improper input validation within the lua-nginx-module API. Specifically, when the API functions are called to mutate URIs or HTTP headers, the module does not adequately filter or escape special characters such as carriage returns (\r), line feeds (\n), or other control characters that have semantic meaning in the HTTP protocol. This oversight allows these characters to pass through unchecked, breaking HTTP message boundaries.
Attack Vector
The attack vector is network-based, requiring no privileges or user interaction. An attacker can exploit this vulnerability by:
- Sending crafted input to an application that uses the vulnerable lua-nginx-module API to modify URIs or headers
- Including unsafe characters (such as CRLF sequences) in the input that gets passed to the API
- The unsanitized characters are incorporated into the modified URI or headers
- Depending on the application logic, this could result in HTTP header injection, response splitting, or request manipulation
The vulnerability specifically affects applications that use OpenResty's Lua APIs such as ngx.req.set_uri(), ngx.req.set_header(), or ngx.header for dynamic header/URI manipulation where user-controlled input may be incorporated.
Detection Methods for CVE-2020-36309
Indicators of Compromise
- Unusual HTTP requests containing CRLF sequences (%0d%0a or \r\n) in URI parameters or header values
- Log entries showing malformed or duplicated HTTP headers in requests
- Evidence of HTTP response splitting attacks such as injected Set-Cookie headers or cache poisoning
- Anomalous behavior in downstream systems receiving manipulated requests
Detection Strategies
- Monitor nginx access and error logs for requests containing encoded CRLF characters (%0d, %0a, %0D, %0A)
- Implement web application firewall (WAF) rules to detect and block HTTP header injection patterns
- Review application code that uses ngx.req.set_uri(), ngx.req.set_header(), or response header manipulation for user-controlled input
- Audit lua-nginx-module version across all OpenResty deployments to identify vulnerable instances
Monitoring Recommendations
- Configure SentinelOne to monitor for unusual HTTP traffic patterns indicative of header injection attempts
- Set up alerts for nginx error logs indicating malformed headers or invalid characters
- Monitor for cache poisoning indicators if caching layers are in use
- Track lua-nginx-module version deployments as part of software inventory management
How to Mitigate CVE-2020-36309
Immediate Actions Required
- Upgrade lua-nginx-module to version 0.10.16 or later immediately
- Audit all Lua code that uses URI or header mutation APIs for proper input sanitization
- Implement input validation at the application layer to filter CRLF and other control characters before passing to lua-nginx-module APIs
- Consider deploying WAF rules to block requests containing header injection patterns as an interim measure
Patch Information
The vulnerability has been addressed in lua-nginx-module version 0.10.16. The fix is documented in GitHub Pull Request #1654. Organizations should upgrade to version 0.10.16 or later. The complete changelog between affected and fixed versions can be reviewed in the GitHub version comparison.
Additional advisories are available from NetApp Security Advisory NTAP-20210507-0005 and the Debian LTS Announcement.
Workarounds
- Implement strict input validation in application code before calling any lua-nginx-module API that modifies URIs or headers
- Filter out or reject any input containing CRLF sequences, null bytes, or other HTTP control characters
- Use allowlist-based validation for header values and URI components where possible
- Deploy a reverse proxy or WAF in front of vulnerable OpenResty instances to filter malicious requests
# Example nginx configuration to help mitigate header injection
# Add to nginx.conf or relevant server block
# Block requests with CRLF in common injection points
if ($args ~* "(%0d|%0a|%0D|%0A)") {
return 400;
}
# Log suspicious requests for monitoring
log_format security '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'args="$args"';
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
