CVE-2024-33452

Published Apr 22, 2025

Last updated 6 months ago

CVSS high 7.7
Openresty

Overview

Description
An issue in OpenResty lua-nginx-module v.0.10.26 and before allows a remote attacker to conduct HTTP request smuggling via a crafted HEAD request.
Source
cve@mitre.org
NVD status
Modified
Products
lua-nginx-module

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.7
Impact score
5.5
Exploitability score
2.2
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
Severity
HIGH

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-444

Social media

Hype score
Not currently trending

  1. CVE-2024-33452 An issue in OpenResty lua-nginx-module v.0.10.26 and before allows a remote attacker to conduct HTTP request smuggling via a crafted HEAD request. https://t.co/nXQel5Z5VY

    @CVEnew

    22 Apr 2025

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. #AppSec #WebApp_Security 1. OpenResty/lua-nginx-module HTTP Request Smuggling in HEAD requests (CVE-2024-33452) https://t.co/1ftSNUVA8D 2. How to gain code execution on millions of people and hundreds of popular apps https://t.co/izYFMKvsW5

    @ksg93rd

    28 Mar 2025

    40 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. OpenResty/lua-nginx-module HTTP Request Smuggling in HEAD requests - CVE-2024-33452 https://t.co/ea2QdoupRP

    @hahwul

    19 Mar 2025

    873 Impressions

    4 Retweets

    11 Likes

    6 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. This issue affects NGINX Open Source and NGINX Plus if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.CVE-2026-32647
  2. NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_module module due to the improper handling of revoked certificates when configured with the ssl_verify_client on and ssl_ocsp on directives, allowing the TLS handshake to succeed even after an OCSP check identifies the certificate as revoked.   Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.CVE-2026-28755
  3. NGINX Open Source and NGINX Plus have a vulnerability in the ngx_http_dav_module module that might allow an attacker to trigger a buffer overflow to the NGINX worker process; this vulnerability may result in termination of the NGINX worker process or modification of source or destination file names outside the document root. This issue affects NGINX Open Source and NGINX Plus when the configuration file uses DAV module MOVE or COPY methods, prefix location (nonregular expression location configuration), and alias directives. The integrity impact is constrained because the NGINX worker process user has low privileges and does not have access to the entire system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.CVE-2026-27654
  4. The 32-bit implementation of NGINX Open Source has a vulnerability in the ngx_http_mp4_module module, which might allow an attacker to over-read or over-write NGINX worker memory resulting in its termination, using a specially crafted MP4 file. The issue only affects 32-bit NGINX Open Source if it is built with the ngx_http_mp4_module module and the mp4 directive is used in the configuration file. Additionally, the attack is possible only if an attacker can trigger the processing of a specially crafted MP4 file with the ngx_http_mp4_module module. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.CVE-2026-27784
  5. NGINX Plus and NGINX Open Source have a vulnerability in the ngx_mail_smtp_module module due to the improper handling of CRLF sequences in DNS responses. This allows an attacker-controlled DNS server to inject arbitrary headers into SMTP upstream requests, leading to potential request manipulation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.CVE-2026-28753

References

Sources include official advisories and independent security research.