VYPR
← All advisories
High severityNVD Advisory· Published Jan 29, 2024· Updated Nov 12, 2024

Nginx-UI authenticated RCE through injecting into the application config via CRLF

CVE-2024-23828

Description

Nginx-UI is a web interface to manage Nginx configurations. It is vulnerable to an authenticated arbitrary command execution via CRLF attack when changing the value of test_config_cmd or start_cmd. This vulnerability exists due to an incomplete fix for CVE-2024-22197 and CVE-2024-22198. This vulnerability has been patched in version 2.0.0.beta.12.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authenticated command injection in Nginx-UI via CRLF in test_config_cmd or start_cmd, due to incomplete fixes for previous CVEs.

Vulnerability

Overview Nginx-UI is vulnerable to an authenticated arbitrary command execution due to a CRLF injection in the test_config_cmd or start_cmd parameters. This arises because the application does not properly sanitize these inputs, allowing an attacker to inject newline characters and additional commands. This vulnerability is an incomplete fix for CVE-2024-22197 and CVE-2024-22198 [1][2].

Exploitation

An attacker must be authenticated to the Nginx-UI web interface. By crafting a malicious value for test_config_cmd or start_cmd that includes CRLF sequences and arbitrary commands, the attacker can execute those commands on the server. No other special privileges are required beyond a valid session [3].

Impact

Successful exploitation allows the attacker to execute arbitrary commands with the privileges of the Nginx-UI process, potentially leading to full server compromise. This could include data exfiltration, installation of malware, or lateral movement within the network [2][3].

Mitigation

The vulnerability has been patched in Nginx-UI version 2.0.0.beta.12. Users are strongly advised to update to this version. No workarounds are publicly documented; upgrading is the recommended course of action [2][3].

References
  1. GitHub - 0xJacky/nginx-ui: Yet another WebUI for Nginx
  2. NVD - CVE-2024-23828
  3. Authenticated RCE through injecting into the application config via CRLF

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/0xJacky/Nginx-UIGo
< 2.0.0-beta.122.0.0-beta.12

Affected products

2

Patches

1
d70e37c8575e

fix: taking 100% CPU if the log file is not a regular file

https://github.com/0xJacky/nginx-ui0xJackyJan 26, 2024via ghsa
commit
4 files changed · +21 8
  • api/nginx/nginx_log.go+18 5 modified
    @@ -3,7 +3,6 @@ package nginx
 import (
 	"encoding/json"
 	"github.com/0xJacky/Nginx-UI/api"
-	"github.com/0xJacky/Nginx-UI/internal/helper"
 	"github.com/0xJacky/Nginx-UI/internal/logger"
 	"github.com/0xJacky/Nginx-UI/internal/nginx"
 	"github.com/gin-gonic/gin"
@@ -50,15 +49,21 @@ func GetNginxLogPage(c *gin.Context) {
 		return
 	}
 
-	f, err := os.Open(logPath)
+	logFileStat, err := os.Stat(logPath)
 
 	if err != nil {
 		c.JSON(http.StatusOK, nginxLogPageResp{})
 		logger.Error(err)
 		return
 	}
 
-	logFileStat, err := os.Stat(logPath)
+	if !logFileStat.Mode().IsRegular() {
+		c.JSON(http.StatusOK, nginxLogPageResp{})
+		logger.Error("log file is not regular file:", logPath)
+		return
+	}
+
+	f, err := os.Open(logPath)
 
 	if err != nil {
 		c.JSON(http.StatusOK, nginxLogPageResp{})
@@ -188,8 +193,16 @@ func tailNginxLog(ws *websocket.Conn, controlChan chan controlStruct, errChan ch
 			Whence: io.SeekEnd,
 		}
 
-		if !helper.FileExists(logPath) {
-			errChan <- errors.New("error log path not exists " + logPath)
+		stat, err := os.Stat(logPath)
+		if os.IsNotExist(err) {
+			errChan <- errors.New("[error] log path not exists " + logPath)
+			return
+		}
+
+		if !stat.Mode().IsRegular() {
+			errChan <- errors.New("[error] " + logPath + " is not a regular file. " +
+				"If you are using nginx-ui in docker container, please refer to " +
+				"https://nginxui.com/zh_CN/guide/config-nginx-log.html for more information.")
 			return
 		}
  • app/src/version.json+1 1 modified
    @@ -1 +1 @@
-{"version":"2.0.0-beta.11","build_id":109,"total_build":313}
\ No newline at end of file
+{"version":"2.0.0-beta.11","build_id":110,"total_build":314}
\ No newline at end of file
  • app/version.json+1 1 modified
    @@ -1 +1 @@
-{"version":"2.0.0-beta.11","build_id":109,"total_build":313}
\ No newline at end of file
+{"version":"2.0.0-beta.11","build_id":110,"total_build":314}
\ No newline at end of file
  • resources/demo/app.ini+1 1 modified
    @@ -8,7 +8,7 @@ StartCmd = bash
 NodeSecret = fdc7764f-92d2-454c-9640-6a09be121139
 Demo = true
 
-[nginx_log]
+[nginx]
 AccessLogPath = /var/log/nginx/access.local.log
 ErrorLogPath = /var/log/nginx/error.local.log

Vulnerability mechanics

Root cause

"Incomplete fix for CRLF injection in test_config_cmd and start_cmd parameters allows authenticated command execution."

Attack vector

An authenticated attacker can inject arbitrary commands by embedding CRLF sequences into the test_config_cmd or start_cmd configuration values. The advisory states this is an authenticated vulnerability and that the patch addresses an incomplete fix for CVE-2024-22197 and CVE-2024-22198. The attacker must have a valid session on the Nginx-UI web interface and modify the affected configuration parameters, which are then executed without proper sanitization.

Affected code

The advisory identifies the vulnerability as affecting the handling of test_config_cmd and start_cmd configuration values. The provided patch [patch_id=436441] modifies api/nginx/nginx_log.go to add regular file checks before opening log files, and renames the config section from [nginx_log] to [nginx] in resources/demo/app.ini. The specific code paths for test_config_cmd and start_cmd are not shown in this patch bundle.

What the fix does

The patch does not directly modify the test_config_cmd or start_cmd handling in the provided diff. Instead, the changes shown harden log file access by checking that the log path points to a regular file using os.Stat() and Mode().IsRegular() before opening it [patch_id=436441]. The advisory indicates the full fix for the CRLF command injection vulnerability is included in version 2.0.0.beta.12, but the specific code changes addressing test_config_cmd and start_cmd are not present in this patch bundle.

Preconditions

  • authAttacker must have an authenticated session on the Nginx-UI web interface
  • inputAttacker must be able to modify the test_config_cmd or start_cmd configuration values

Generated on May 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.