F5 has patched two critical vulnerabilities in NGINX Open Source, both of which could allow a remote, unauthenticated attacker to execute arbitrary code on affected systems. The flaws reside in the HTTP/3 module and carry a CVSS v4 score of 9.2, indicating high exploitability with no authentication required. NGINX is one of the world’s most widely deployed web servers and reverse proxies, making the blast radius of these vulnerabilities significant.

Security Architect’s Take: Prioritise patching NGINX Open Source instances immediately, particularly any internet-facing deployments with HTTP/3 (QUIC) enabled — consider disabling HTTP/3 as a temporary mitigation if patching cannot be completed rapidly. Audit Kubernetes ingress controllers, API gateways, and load balancers that bundle NGINX, as these are commonly overlooked in patch cycles.

Original advisory: F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution