CVE-2024-24990 Overview
CVE-2024-24990 is a Use After Free vulnerability affecting NGINX Plus and NGINX Open Source when configured to use the experimental HTTP/3 QUIC module. Specially crafted, undisclosed requests can cause NGINX worker processes to terminate unexpectedly, leading to a denial of service condition. The vulnerability exists in the QUIC protocol handling code and can be exploited remotely without authentication.
It is important to note that the HTTP/3 QUIC module is not enabled by default and is considered experimental by F5. Organizations that have enabled this module for HTTP/3 support should assess their exposure and apply patches immediately.
Critical Impact
Remote attackers can crash NGINX worker processes through specially crafted HTTP/3 QUIC requests, causing service disruption without requiring authentication.
Affected Products
- F5 NGINX Open Source versions 1.25.0 through 1.25.3
- F5 NGINX Plus R30 and R30-P1
- F5 NGINX Plus R31
Discovery Timeline
- 2024-02-14 - CVE-2024-24990 published to NVD
- 2025-02-13 - Last updated in NVD database
Technical Details for CVE-2024-24990
Vulnerability Analysis
This vulnerability is classified as CWE-416 (Use After Free), a memory corruption vulnerability where the application continues to reference memory after it has been freed. In the context of NGINX's HTTP/3 QUIC module, this occurs during the processing of certain HTTP/3 requests over the QUIC protocol.
When a malformed or specially crafted request is processed by the QUIC module, the code improperly accesses memory that has already been deallocated. This results in undefined behavior that manifests as worker process termination. Since NGINX typically runs multiple worker processes, an attacker would need to send multiple malicious requests to cause a complete denial of service, though even single worker crashes can degrade performance and availability.
The vulnerability can be triggered remotely across the network without requiring any authentication or user interaction, making it particularly dangerous for internet-facing NGINX deployments with HTTP/3 enabled.
Root Cause
The root cause is a Use After Free condition in the HTTP/3 QUIC module's request handling code. When processing certain requests, the module frees memory that is subsequently accessed, leading to memory corruption and worker process crashes. This type of vulnerability typically occurs when object lifetime management is not properly handled, particularly in complex protocol implementations like QUIC where multiple streams and connections must be managed concurrently.
Attack Vector
The attack vector is network-based, targeting NGINX instances configured with the experimental HTTP/3 QUIC module. An attacker can send specially crafted HTTP/3 requests over QUIC (UDP port 443 typically) to trigger the vulnerability. The attack requires:
- Target NGINX instance has HTTP/3 QUIC module enabled
- Attacker can reach the QUIC listener (typically UDP/443)
- Attacker sends malformed HTTP/3 requests designed to trigger the use-after-free condition
The vulnerability does not require authentication and can be exploited without any user interaction, making it suitable for automated attack tools.
Detection Methods for CVE-2024-24990
Indicators of Compromise
- Unexpected NGINX worker process terminations in system logs
- Elevated number of NGINX process restarts in a short time period
- Anomalous HTTP/3 QUIC traffic patterns from suspicious sources
- Error messages related to memory access violations in NGINX error logs
Detection Strategies
- Monitor NGINX error logs for worker process crash events and segmentation faults
- Implement network-level monitoring for unusual QUIC protocol traffic patterns
- Deploy intrusion detection rules to identify malformed HTTP/3 requests
- Track NGINX process stability metrics and alert on abnormal restart frequencies
Monitoring Recommendations
- Enable detailed NGINX logging for the QUIC module to capture request details
- Configure alerting for NGINX worker process crashes via system monitoring tools
- Implement rate limiting on QUIC connections from individual source IPs
- Use SentinelOne Singularity to monitor for process anomalies and unexpected terminations
How to Mitigate CVE-2024-24990
Immediate Actions Required
- Upgrade NGINX Open Source to version 1.25.4 or later
- Upgrade NGINX Plus to R31-P1 or R30-P2 or later versions
- If patching is not immediately possible, disable the HTTP/3 QUIC module
- Review NGINX configurations to identify all instances with QUIC enabled
Patch Information
F5 has released patches addressing this vulnerability. Detailed patch information and upgrade instructions are available in the F5 Knowledge Base Article K000138445. Organizations should prioritize patching based on their exposure to HTTP/3 traffic.
For NGINX Open Source users, upgrade to version 1.25.4 or later. For NGINX Plus customers, upgrade to R31-P1, R30-P2, or a later supported release.
Workarounds
- Disable the HTTP/3 QUIC module if not required for operations by removing the http3 parameter from listen directives
- Implement network-level filtering to restrict QUIC traffic to trusted sources only
- Use a Web Application Firewall (WAF) to filter potentially malicious HTTP/3 requests
- Consider reverting to HTTP/2 until patches can be applied
# Configuration example - Disable HTTP/3 QUIC in NGINX
# Edit your NGINX configuration file (e.g., /etc/nginx/nginx.conf)
# Remove or comment out http3 parameters from listen directives
# Before (vulnerable configuration):
# listen 443 quic reuseport;
# listen 443 ssl;
# After (HTTP/3 disabled):
# listen 443 ssl;
# Reload NGINX configuration
nginx -t && nginx -s reload
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
