Platform
nginx
Component
nginx
Fixed in
0.27.1
0.27.1
CVE-2025-66570 is a critical vulnerability affecting Nginx versions up to 0.27.0. This flaw allows attackers to inject malicious HTTP headers, specifically REMOTEADDR, REMOTEPORT, LOCALADDR, and LOCALPORT, which can then be used to manipulate server-side metadata, logging, and authorization decisions. Successful exploitation could lead to data leakage, privilege escalation, and potentially complete server compromise. A patched version of Nginx is available to address this issue.
The vulnerability stems from how cpp-httplib, a library used by Nginx, handles HTTP headers. The readheaders() function in httplib.h allows attackers to inject custom headers into the request. Subsequently, Nginx's Server::processrequest function appends its own internal metadata using the same header names without removing duplicates. This means an attacker-controlled header value can overwrite legitimate server metadata, potentially influencing authorization decisions or exposing sensitive information through logging. For example, an attacker could inject a malicious REMOTE_ADDR header to impersonate a trusted client or manipulate access controls. The impact is significant, as it can lead to unauthorized access, data breaches, and complete system compromise, particularly in environments where Nginx is used as a reverse proxy or load balancer.
This vulnerability is considered high-risk due to its critical CVSS score and the potential for widespread impact. While no public exploits have been widely reported, the ease of exploitation makes it a likely target for attackers. The vulnerability was publicly disclosed on 2025-12-05. Monitor security advisories and threat intelligence feeds for any signs of active exploitation. It's prudent to assume that attackers are actively seeking ways to exploit this vulnerability.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade Nginx to a version patched against this vulnerability. Refer to the official Nginx documentation for upgrade instructions specific to your operating system and deployment environment. If immediate upgrade is not possible, consider implementing temporary workarounds. A Web Application Firewall (WAF) can be configured to filter out or sanitize potentially malicious REMOTEADDR, REMOTEPORT, LOCALADDR, and LOCALPORT headers. Additionally, review Nginx configuration to minimize the use of these headers in logging and authorization processes. After upgrading, verify the fix by sending a crafted HTTP request containing the malicious headers and confirming that they are either rejected by the WAF or do not influence server behavior.
Update the cpp-httplib library to version 0.27.0 or higher. This will resolve the unreliable HTTP header manipulation vulnerability. The update will prevent an attacker from controlling server-visible metadata, logging, and authorization decisions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-66570 is a critical vulnerability in Nginx versions up to 0.27.0 that allows attackers to inject malicious HTTP headers, potentially influencing server metadata, logging, and authorization.
You are affected if you are running Nginx versions 0.27.0 or earlier. Check your Nginx version using nginx -v.
Upgrade Nginx to a patched version. Refer to the official Nginx documentation for upgrade instructions. Consider a WAF as a temporary mitigation.
While no widespread exploitation has been confirmed, the ease of exploitation makes it a likely target. Monitor security advisories and threat intelligence feeds.
Refer to the official Nginx security advisories at [https://nginx.org/en/security/](https://nginx.org/en/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.