openresty CVE Vulnerabilities & Metrics

Focus on openresty vulnerabilities and metrics.

Last updated: 07 Jun 2025, 22:25 UTC

About openresty Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with openresty. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total openresty CVEs: 6
Earliest CVE date: 02 Apr 2018, 18:29 UTC
Latest CVE date: 23 Jul 2024, 16:15 UTC

Latest CVE reference: CVE-2024-39702

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 1

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0.0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical openresty CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 4.05

Max CVSS: 7.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	2
4.0-6.9	3
7.0-8.9	1
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS openresty CVEs

These are the five CVEs with the highest CVSS scores for openresty, sorted by severity first and recency.

CVE-2018-9230 openresty Published on 02 Apr 2018, 18:29 UTC (CVSS: 7.5)
In OpenResty through 1.13.6.1, URI parameters are obtained using the ngx.req.get_uri_args and ngx.req.get_post_args functions that ignore parameters beyond the hundredth one, which might allow remote attackers to bypass intended access restrictions or interfere with certain Web Application Firewall (ngx_lua_waf or X-WAF) products. NOTE: the vendor has reported that 100 parameters is an intentio...
CVE-2021-23017 openresty Published on 01 Jun 2021, 13:15 UTC (CVSS: 6.8)
A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash or potential other impact.
CVE-2020-36309 openresty Published on 06 Apr 2021, 19:15 UTC (CVSS: 5.0)
ngx_http_lua_module (aka lua-nginx-module) before 0.10.16 in OpenResty allows unsafe characters in an argument when using the API to mutate a URI, or a request or response header.
CVE-2020-11724 openresty Published on 12 Apr 2020, 21:15 UTC (CVSS: 5.0)
An issue was discovered in OpenResty before 1.15.8.4. ngx_http_lua_subrequest.c allows HTTP request smuggling, as demonstrated by the ngx.location.capture API.
CVE-2024-39702 openresty Published on 23 Jul 2024, 16:15 UTC (CVSS: 0)
In lj_str_hash.c in OpenResty 1.19.3.1 through 1.25.3.1, the string hashing function (used during string interning) allows HashDoS (Hash Denial of Service) attacks. An attacker could cause excessive resource usage during proxy operations via crafted requests, potentially leading to a denial of service with relatively few incoming requests. This vulnerability only exists in the OpenResty fork in...

All CVEs for openresty

CVE-2024-39702 openresty vulnerability CVSS: 0 23 Jul 2024, 16:15 UTC

In lj_str_hash.c in OpenResty 1.19.3.1 through 1.25.3.1, the string hashing function (used during string interning) allows HashDoS (Hash Denial of Service) attacks. An attacker could cause excessive resource usage during proxy operations via crafted requests, potentially leading to a denial of service with relatively few incoming requests. This vulnerability only exists in the OpenResty fork in the openresty/luajit2 GitHub repository. The LuaJIT/LuaJIT repository. is unaffected.

CVE-2023-44487 openresty vulnerability CVSS: 0 10 Oct 2023, 14:15 UTC

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

CVE-2021-23017 openresty vulnerability CVSS: 6.8 01 Jun 2021, 13:15 UTC

A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash or potential other impact.

CVE-2020-36309 openresty vulnerability CVSS: 5.0 06 Apr 2021, 19:15 UTC

ngx_http_lua_module (aka lua-nginx-module) before 0.10.16 in OpenResty allows unsafe characters in an argument when using the API to mutate a URI, or a request or response header.

CVE-2020-11724 openresty vulnerability CVSS: 5.0 12 Apr 2020, 21:15 UTC

An issue was discovered in OpenResty before 1.15.8.4. ngx_http_lua_subrequest.c allows HTTP request smuggling, as demonstrated by the ngx.location.capture API.

CVE-2018-9230 openresty vulnerability CVSS: 7.5 02 Apr 2018, 18:29 UTC

In OpenResty through 1.13.6.1, URI parameters are obtained using the ngx.req.get_uri_args and ngx.req.get_post_args functions that ignore parameters beyond the hundredth one, which might allow remote attackers to bypass intended access restrictions or interfere with certain Web Application Firewall (ngx_lua_waf or X-WAF) products. NOTE: the vendor has reported that 100 parameters is an intentional default setting, but is adjustable within the API. The vendor's position is that a security-relevant misuse of the API by a WAF product is a vulnerability in the WAF product, not a vulnerability in OpenResty