starred/nginx-proxy-manager-NginxProxyManager

Fork 0

mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2026-04-26 09:55:51 +03:00

[GH-ISSUE #4354] nginx to old vulnerability CVE-2025-23419 #2796

New issue

Open

opened 2026-02-26 07:36:48 +03:00 by kerem · 3 comments

kerem commented

2026-02-26 07:36:48 +03:00

Owner

Originally created by @ChristianKrausse on GitHub (Feb 7, 2025).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/4354

Checklist

Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
- Yes
Are you sure you're not using someone else's docker image?
- Yes
Have you searched for similar issues (both open and closed)?
- Yes

Describe the bug

As visible under https://nginx.org/en/security_advisories.html a newer nginx needed to be installed.
Not vulnerable: 1.27.4+, 1.26.3+

Nginx Proxy Manager Version
Version 2.12.3 (c5a319c) 2025-02-06 10:51:15 UTC, OpenResty 1.25.3.2, debian 12 (bookworm), Certbot certbot 3.0.1

To Reproduce
bash:> docker exec -it nginx_reverse-proxy /bin/bash
#or however the container is named
bash:> nginx -v
nginx version: openresty/1.25.3.2

Expected behavior
nginx-version 1.27.4 or 1.26.3

Originally created by @ChristianKrausse on GitHub (Feb 7, 2025). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/4354 **Checklist** - Have you pulled and found the error with `jc21/nginx-proxy-manager:latest` docker image? - Yes - Are you sure you're not using someone else's docker image? - Yes - Have you searched for similar issues (both open and closed)? - Yes **Describe the bug** As visible under https://nginx.org/en/security_advisories.html a newer nginx needed to be installed. Not vulnerable: 1.27.4+, 1.26.3+ **Nginx Proxy Manager Version** Version 2.12.3 (c5a319c) 2025-02-06 10:51:15 UTC, OpenResty 1.25.3.2, debian 12 (bookworm), Certbot certbot 3.0.1 **To Reproduce** bash:> docker exec -it nginx_reverse-proxy /bin/bash #or however the container is named bash:> nginx -v nginx version: openresty/1.25.3.2 **Expected behavior** nginx-version 1.27.4 or 1.26.3

kerem added the

bug

label

2026-02-26 07:36:48 +03:00

kerem commented

2026-02-26 07:36:49 +03:00

Author

Owner

@tanpro260196 commented on GitHub (Feb 11, 2025):

The maintainer rarely if ever checks github issue.

Please email security issue directly to his email: jc@jc21.com

@tanpro260196 commented on GitHub (Feb 11, 2025): The maintainer rarely if ever checks github issue. Please email security issue directly to his email: jc@jc21.com

kerem commented

2026-02-26 07:36:49 +03:00

Author

Owner

@github-actions[bot] commented on GitHub (Aug 24, 2025):

Issue is now considered stale. If you want to keep it open, please comment 👍

@github-actions[bot] commented on GitHub (Aug 24, 2025): Issue is now considered stale. If you want to keep it open, please comment :+1:

kerem commented

2026-02-26 07:36:49 +03:00

Author

Owner

@dvershinin commented on GitHub (Jan 30, 2026):

To clarify the risk here: CVE-2025-23419 is an SSL session reuse vulnerability that allows bypassing client certificate authentication when multiple virtual hosts share the same IP:port.

Who's affected: Only configurations using:

Client certificate authentication (ssl_verify_client on)
Multiple server blocks on the same IP:port
TLS 1.3 with session tickets or SSL session cache enabled
OpenSSL (not BoringSSL or LibreSSL)

Who's NOT affected: If you're just using NPM for basic HTTPS proxying without client certs, this CVE doesn't apply to your setup.

Mitigation without upgrading:

ssl_session_tickets off;
ssl_session_cache off;

This disables the session resumption mechanism the vulnerability exploits.

The real issue: NPM ships OpenResty 1.25.3.2 which bundles NGINX 1.25.x. The fix requires NGINX 1.26.3+ or 1.27.4+. OpenResty hasn't released a version with these patched NGINX builds yet.

For anyone running NPM with client certificate authentication in production, I'd recommend the session ticket mitigation above until the update lands.

@dvershinin commented on GitHub (Jan 30, 2026): To clarify the risk here: CVE-2025-23419 is an SSL session reuse vulnerability that allows bypassing client certificate authentication when multiple virtual hosts share the same IP:port. **Who's affected**: Only configurations using: - Client certificate authentication (`ssl_verify_client on`) - Multiple server blocks on the same IP:port - TLS 1.3 with session tickets or SSL session cache enabled - OpenSSL (not BoringSSL or LibreSSL) **Who's NOT affected**: If you're just using NPM for basic HTTPS proxying without client certs, this CVE doesn't apply to your setup. **Mitigation without upgrading**: ```nginx ssl_session_tickets off; ssl_session_cache off; ``` This disables the session resumption mechanism the vulnerability exploits. **The real issue**: NPM ships OpenResty 1.25.3.2 which bundles NGINX 1.25.x. The fix requires NGINX 1.26.3+ or 1.27.4+. OpenResty hasn't released a version with these patched NGINX builds yet. For anyone running NPM with client certificate authentication in production, I'd recommend the session ticket mitigation above until the update lands.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#2796

No description provided.

Rows
Columns