GHSA-CP8R-8JVW-V3QG

Vulnerability from github – Published: 2026-03-30 16:38 – Updated: 2026-03-30 21:26
VLAI?
Summary
nginx-ui Vulnerable to DoS via Negative Integer Input in Logrotate Interval
Details

Summary

An input validation vulnerability in the logrotate configuration allows an authenticated user to cause a complete Denial of Service (DoS). By submitting a negative integer for the rotation interval, the backend enters an infinite loop or an invalid state, rendering the web interface unresponsive.

Details

The vulnerability exists in the handler for the POST /api/settings endpoint. Specifically, the logrotate.interval field is accepted as a signed integer without lower-bound verification. When a negative value is processed by the backend logic responsible for scheduling or calculating the next rotation, it triggers a non-terminating loop. This consumes CPU resources and prevents the Go web server from handling further concurrent requests.

Environment: - OS: Kali Linux 6.17.10-1kali1 (6.17.10+kali-amd64) - nginx-ui version: 2.3.3 (513) e5da6dd (go1.26.0 linux/amd64) - Deployment: Docker container - Run Command: 

docker run -dit \
  --name=nginx-ui \
  --restart=always \
  -v /mnt/user4/appdata/nginx:/etc/nginx \
  -v /mnt/user4/appdata/nginx-ui:/etc/nginx-ui \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -p 8080:80 -p 8443:443 \
  uozi/nginx-ui:latest

PoC

  1. Authenticate to the nginx-ui dashboard.
  2. Send a POST request to /api/settings (using Burp Suite, Postman, or curl).
  3. Set the payload as follows:
.
.
.
{
  "logrotate": {
    "enabled": true,
    "cmd": "logrotate /etc/logrotate.d/nginx",
    "interval": -1
  }
}
.
.
.
  1. Observe that the web server stops responding to all subsequent requests immediately after the injection. image

Impact

This is a High-availability vulnerability (CWE-20: Improper Input Validation). Any authenticated user with access to settings can permanently hang the service.

A patched version of nginx-ui is available at https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4.

Severity ?
6.9 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/0xJacky/Nginx-UI"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.99"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33029"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-30T16:38:38Z",
    "nvd_published_at": "2026-03-30T18:16:19Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nAn input validation vulnerability in the logrotate configuration allows an authenticated user to cause a complete Denial of Service (DoS). By submitting a negative integer for the rotation interval, the backend enters an infinite loop or an invalid state, rendering the web interface unresponsive.\n\n### Details\nThe vulnerability exists in the handler for the POST /api/settings endpoint. Specifically, the logrotate.interval field is accepted as a signed integer without lower-bound verification. When a negative value is processed by the backend logic responsible for scheduling or calculating the next rotation, it triggers a non-terminating loop. This consumes CPU resources and prevents the Go web server from handling further concurrent requests.\n\n**Environment:**\n- OS: Kali Linux 6.17.10-1kali1 (6.17.10+kali-amd64)\n- nginx-ui version: 2.3.3 (513) e5da6dd (go1.26.0 linux/amd64)\n- Deployment: Docker container\n- Run Command: \n```\ndocker run -dit \\\n  --name=nginx-ui \\\n  --restart=always \\\n  -v /mnt/user4/appdata/nginx:/etc/nginx \\\n  -v /mnt/user4/appdata/nginx-ui:/etc/nginx-ui \\\n  -v /var/run/docker.sock:/var/run/docker.sock \\\n  -p 8080:80 -p 8443:443 \\\n  uozi/nginx-ui:latest\n```\n\n### PoC\n1. Authenticate to the nginx-ui dashboard.\n2. Send a POST request to /api/settings (using Burp Suite, Postman, or curl).\n3. Set the payload as follows:\n```\n.\n.\n.\n{\n  \"logrotate\": {\n    \"enabled\": true,\n    \"cmd\": \"logrotate /etc/logrotate.d/nginx\",\n    \"interval\": -1\n  }\n}\n.\n.\n.\n```\n4. Observe that the web server stops responding to all subsequent requests immediately after the injection.\n\u003cimg width=\"1041\" height=\"390\" alt=\"image\" src=\"https://github.com/user-attachments/assets/b746a91a-dd63-4f5e-b1a8-382b9d08e181\" /\u003e\n\n### Impact\nThis is a High-availability vulnerability (CWE-20: Improper Input Validation). Any authenticated user with access to settings can permanently hang the service.\n\nA patched version of nginx-ui  is available at https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4.",
  "id": "GHSA-cp8r-8jvw-v3qg",
  "modified": "2026-03-30T21:26:02Z",
  "published": "2026-03-30T16:38:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-cp8r-8jvw-v3qg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33029"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/0xJacky/nginx-ui"
    },
    {
      "type": "WEB",
      "url": "https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "nginx-ui Vulnerable to DoS via Negative Integer Input in Logrotate Interval"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.