CVE-2026-55233 in OpenRestyinfo

Summary

by MITRE • 07/10/2026

OpenResty is a high performance web platform. From 1.29.2.1 to before 1.29.2.5, an out-of-bounds write vulnerability exists in the upstream PROXY protocol v2 implementation. When OpenResty is configured to send PROXY protocol version 2 headers to upstream servers, constructing the header in the stream proxy protocol v2 patch can write beyond the bounds of the allocated buffer, causing the worker process to crash and resulting in a denial of service. Only configurations that explicitly enable PROXY protocol v2 for upstream connections are impacted. This issue is fixed in version 1.29.2.5.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/10/2026

The vulnerability under discussion represents a critical out-of-bounds write condition within the OpenResty web platform's implementation of the PROXY protocol version 2 specification. This flaw exists specifically in versions ranging from 1.29.2.1 through 1.29.2.4, creating a potential avenue for denial of service attacks that can compromise system availability. The vulnerability manifests within the stream proxy protocol v2 patch functionality where the application fails to properly validate buffer boundaries during header construction operations.

The technical implementation flaw stems from inadequate bounds checking mechanisms within the PROXY protocol v2 header generation process. When OpenResty instances are configured to forward PROXY protocol version 2 headers to upstream servers, the system attempts to construct these headers without sufficient validation of the allocated buffer sizes. This deficiency allows maliciously crafted PROXY protocol data to cause memory corruption through out-of-bounds writes that extend beyond the intended buffer boundaries. The vulnerability specifically impacts worker processes responsible for handling stream proxy connections, where the PROXY protocol v2 functionality is actively enabled and utilized.

Operational impact assessment reveals this vulnerability as particularly concerning due to its ability to trigger immediate process termination and subsequent system instability. When exploited, the out-of-bounds write condition results in worker process crashes that can cascade into broader service disruptions within the OpenResty deployment. The denial of service scenario occurs without requiring authentication or complex exploitation techniques, making it accessible to attackers with minimal privileges. This vulnerability directly impacts the availability and reliability of web applications relying on OpenResty's stream proxy capabilities, particularly those configured to communicate with upstream servers using PROXY protocol v2.

The remediation approach requires immediate deployment of OpenResty version 1.29.2.5 or later, which incorporates proper bounds checking mechanisms within the PROXY protocol v2 implementation. Organizations should conduct comprehensive vulnerability assessments to identify all OpenResty instances that have enabled PROXY protocol v2 functionality for upstream connections. Security teams must implement monitoring solutions to detect potential exploitation attempts and establish incident response procedures for rapid remediation. The vulnerability aligns with CWE-787 Out-of-bounds Write classification and represents a significant concern within ATT&CK framework under the T1499.004 technique focusing on network denial of service attacks through application layer vulnerabilities.

Mitigation strategies should include comprehensive configuration reviews to disable PROXY protocol v2 functionality where it is not strictly required for operational purposes. Network segmentation and access controls can limit exposure by restricting which systems can interact with OpenResty instances configured for PROXY protocol handling. Regular security updates and patch management processes should be enforced to maintain protection against similar vulnerabilities in the broader software ecosystem. The vulnerability demonstrates the critical importance of input validation and buffer boundary checking in high-performance web platforms where memory corruption can lead to immediate service disruption and potential system compromise.

Responsible

GitHub M

Reservation

06/16/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!