CVE-2022-41742: CWE-787 Out-of-bounds Write in F5 NGINX
NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted audio or video file. The issue affects only NGINX products that are built with the module ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.
AI Analysis
Technical Summary
CVE-2022-41742 is a high-severity vulnerability identified in various versions of NGINX Open Source and NGINX Plus products developed by F5. The flaw exists in the ngx_http_mp4_module, which is responsible for handling MP4 streaming functionality. Specifically, the vulnerability is an out-of-bounds write (CWE-787) that occurs when processing specially crafted audio or video files. This can lead to a worker process crash or potentially expose memory contents, resulting in information disclosure. The vulnerability only affects NGINX instances that have been built with the ngx_http_mp4_module and have the mp4 directive enabled in their configuration. Exploitation requires local privileges (AV:L - local attack vector) and low complexity (AC:L), with the attacker needing at least low privileges (PR:L) but no user interaction (UI:N). The vulnerability does not allow integrity compromise but impacts confidentiality (high) and availability (high) due to potential memory disclosure and process crashes. No known exploits are currently reported in the wild, but the vulnerability was publicly disclosed on October 19, 2022, and affects both mainline and stable versions prior to 1.23.2 and 1.22.1 for Open Source, and prior to R2 P1 and R1 P1 for Open Source Subscription, as well as R27 P1 and R26 P1 for NGINX Plus. The vulnerability is significant because NGINX is widely used as a web server and reverse proxy, and the mp4 module is commonly used for streaming media content. An attacker able to trigger processing of maliciously crafted media files could cause denial of service or leak sensitive memory data, potentially exposing sensitive information from the server environment.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to media streaming services, content delivery networks, and web infrastructure that utilize NGINX with the mp4 module enabled. The impact includes potential denial of service due to worker process crashes, which can disrupt service availability and degrade user experience. More critically, the memory disclosure aspect could lead to leakage of sensitive information such as session tokens, credentials, or other in-memory data, increasing the risk of further compromise. Organizations in sectors such as media, telecommunications, and online entertainment that rely on NGINX for streaming are particularly vulnerable. Additionally, given the local attack vector requirement, insider threats or attackers who have gained limited access could exploit this vulnerability to escalate their impact. The disruption or data leakage could have regulatory implications under GDPR if personal data is exposed, leading to legal and reputational consequences. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits over time.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Immediately identify all NGINX instances with the ngx_http_mp4_module enabled and the mp4 directive configured. 2) Upgrade affected NGINX versions to the fixed releases: Open Source versions 1.23.2 or later, 1.22.1 or later; Open Source Subscription versions R2 P1 or later, R1 P1 or later; and NGINX Plus versions R27 P1 or later, R26 P1 or later. 3) If immediate upgrade is not feasible, consider disabling the mp4 module or removing the mp4 directive to prevent processing of MP4 files until patched. 4) Restrict local access to NGINX servers to trusted administrators only, minimizing the risk of local exploitation. 5) Monitor logs for unusual activity related to media file processing or worker process crashes that could indicate attempted exploitation. 6) Conduct internal audits to ensure no unauthorized media files are uploaded or processed. 7) Implement strict file validation and scanning on media uploads to detect and block malformed or suspicious files. 8) Maintain up-to-date incident response plans to quickly address any exploitation attempts. These steps go beyond generic advice by focusing on configuration auditing, access control, and proactive monitoring specific to the mp4 module context.
Affected Countries
Germany, United Kingdom, France, Netherlands, Sweden, Italy, Spain, Poland
CVE-2022-41742: CWE-787 Out-of-bounds Write in F5 NGINX
Description
NGINX Open Source before versions 1.23.2 and 1.22.1, NGINX Open Source Subscription before versions R2 P1 and R1 P1, and NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngx_http_mp4_module that might allow a local attacker to cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted audio or video file. The issue affects only NGINX products that are built with the module ngx_http_mp4_module, when the mp4 directive is used in the configuration file. Further, the attack is possible only if an attacker can trigger processing of a specially crafted audio or video file with the module ngx_http_mp4_module.
AI-Powered Analysis
Technical Analysis
CVE-2022-41742 is a high-severity vulnerability identified in various versions of NGINX Open Source and NGINX Plus products developed by F5. The flaw exists in the ngx_http_mp4_module, which is responsible for handling MP4 streaming functionality. Specifically, the vulnerability is an out-of-bounds write (CWE-787) that occurs when processing specially crafted audio or video files. This can lead to a worker process crash or potentially expose memory contents, resulting in information disclosure. The vulnerability only affects NGINX instances that have been built with the ngx_http_mp4_module and have the mp4 directive enabled in their configuration. Exploitation requires local privileges (AV:L - local attack vector) and low complexity (AC:L), with the attacker needing at least low privileges (PR:L) but no user interaction (UI:N). The vulnerability does not allow integrity compromise but impacts confidentiality (high) and availability (high) due to potential memory disclosure and process crashes. No known exploits are currently reported in the wild, but the vulnerability was publicly disclosed on October 19, 2022, and affects both mainline and stable versions prior to 1.23.2 and 1.22.1 for Open Source, and prior to R2 P1 and R1 P1 for Open Source Subscription, as well as R27 P1 and R26 P1 for NGINX Plus. The vulnerability is significant because NGINX is widely used as a web server and reverse proxy, and the mp4 module is commonly used for streaming media content. An attacker able to trigger processing of maliciously crafted media files could cause denial of service or leak sensitive memory data, potentially exposing sensitive information from the server environment.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to media streaming services, content delivery networks, and web infrastructure that utilize NGINX with the mp4 module enabled. The impact includes potential denial of service due to worker process crashes, which can disrupt service availability and degrade user experience. More critically, the memory disclosure aspect could lead to leakage of sensitive information such as session tokens, credentials, or other in-memory data, increasing the risk of further compromise. Organizations in sectors such as media, telecommunications, and online entertainment that rely on NGINX for streaming are particularly vulnerable. Additionally, given the local attack vector requirement, insider threats or attackers who have gained limited access could exploit this vulnerability to escalate their impact. The disruption or data leakage could have regulatory implications under GDPR if personal data is exposed, leading to legal and reputational consequences. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits over time.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should: 1) Immediately identify all NGINX instances with the ngx_http_mp4_module enabled and the mp4 directive configured. 2) Upgrade affected NGINX versions to the fixed releases: Open Source versions 1.23.2 or later, 1.22.1 or later; Open Source Subscription versions R2 P1 or later, R1 P1 or later; and NGINX Plus versions R27 P1 or later, R26 P1 or later. 3) If immediate upgrade is not feasible, consider disabling the mp4 module or removing the mp4 directive to prevent processing of MP4 files until patched. 4) Restrict local access to NGINX servers to trusted administrators only, minimizing the risk of local exploitation. 5) Monitor logs for unusual activity related to media file processing or worker process crashes that could indicate attempted exploitation. 6) Conduct internal audits to ensure no unauthorized media files are uploaded or processed. 7) Implement strict file validation and scanning on media uploads to detect and block malformed or suspicious files. 8) Maintain up-to-date incident response plans to quickly address any exploitation attempts. These steps go beyond generic advice by focusing on configuration auditing, access control, and proactive monitoring specific to the mp4 module context.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- f5
- Date Reserved
- 2022-09-28T00:00:00.000Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9818c4522896dcbd82ff
Added to database: 5/21/2025, 9:08:40 AM
Last enriched: 7/5/2025, 5:27:25 AM
Last updated: 10/15/2025, 7:09:06 AM
Views: 48
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-11161: CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in wpbakery WPBakery Page Builder
MediumCVE-2025-11160: CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in wpbakery WPBakery Page Builder
MediumCVE-2025-26861: Uncontrolled Search Path Element in RSUPPORT CO., LTD. RemoteCall Remote Support Program (for Operator)
HighCVE-2025-26860: Uncontrolled Search Path Element in RSUPPORT CO., LTD. RemoteCall Remote Support Program (for Operator)
HighCVE-2025-26859: Uncontrolled Search Path Element in RSUPPORT CO., LTD. RemoteView PC Application Console
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.