CVE-2024-24990: 
NGINX vulnerability analysis and mitigation

CVE-2024-24990 is a security vulnerability affecting NGINX Plus and NGINX OSS when configured to use the HTTP/3 QUIC module. The vulnerability was disclosed on February 14, 2024, and affects NGINX versions 1.25.0 through 1.25.3. The HTTP/3 QUIC module, which is not enabled by default and is considered experimental, can be exploited through undisclosed requests that cause NGINX worker processes to terminate (NVD, OSS Security).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. It is classified as a Use After Free (CWE-416) vulnerability. The issue specifically affects installations where NGINX has been explicitly compiled with the ngxhttpv3_module and the 'quic' option is enabled in the 'listen' directive within the configuration file (NVD).

When exploited, this vulnerability allows remote unauthenticated attackers to cause denial-of-service (DoS) conditions by triggering worker process crashes. The vulnerability may also have potential for further impact beyond simple crashes, though the exact scope remains under investigation (Security Online).

The vulnerability has been patched in NGINX version 1.25.4. Organizations running affected versions should upgrade immediately to this version or later. For those unable to upgrade immediately, the only reliable mitigation is to disable HTTP/3 functionality, as no other workarounds are available (Security Online).