NGINX allows HTTP request smuggling

Last update: 2024-05-20

Advisory IDNN-2020:1-01
TopicNGINX allows HTTP request smuggling
CWE Impact
Issue date2020-02-25
CVE Name(s)CVE-2019-20372
CVSS Details
CVSS Score5.3 (CVSS v3.1)
CVE Risk LevelMedium (CVSS v3.1)
Risk Level for Nozomi customersNone


Under some special configuration NGINX permits HTTP request smuggling which can lead an attacker to access unauthorized web pages.


None. Our products are not affected by this issue because the configuration used is not vulnerable.

Affected Products


Workarounds and Mitigations

Not required


Not required

Modification History

2020-02-25: Initial revision
2023-09-04: Minor updates to format and metadata to improve the CSAF implementation
2023-11-13: Migrated to CSAF VEX format
2023-11-16: CSAF vers improvements
2024-05-20: Replaced offline reference link with an archived copy

Related Links


We thank the following parties for their efforts:

  • Bert JW Regeer (bert.regeer@getcruise.com), Francisco Oca Gonzalez (francisco.oca@getcruise.com) of Cruise for their NGINX vulnerability advisory


Nozomi Networks Product Security team can be reached at prodsec@nozominetworks.com.
More contact details on the PSIRT page.