CVE-2017-20005 – This vulnerability is a buffer overflow in NGIN... (How to Fix)

Q: What is the severity of CVE-2017-20005?

CVE-2017-20005 has a CVSS score of 9.8 (CRITICAL). This vulnerability is a buffer overflow in NGINX's autoindex module when processing file modification dates with years exceeding four digits. It affects NGINX servers with autoindex enabled, allowing potential remote code execution or denial of service. The vulnerability stems from improper integer handling for dates far in the past (like 1969) or future.

📋 TL;DR

This vulnerability is a buffer overflow in NGINX's autoindex module when processing file modification dates with years exceeding four digits. It affects NGINX servers with autoindex enabled, allowing potential remote code execution or denial of service. The vulnerability stems from improper integer handling for dates far in the past (like 1969) or future.

💻 Affected Systems

Products:

NGINX

Versions: All versions before 1.13.6

Operating Systems: All operating systems running vulnerable NGINX versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when autoindex module is enabled in configuration (autoindex on;). Many production deployments disable autoindex.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Nginx by F5

View all CVEs affecting Nginx →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or persistent backdoor installation.

🟠

Likely Case

Denial of service causing NGINX process crashes and service disruption.

🟢

If Mitigated

Limited impact if autoindex is disabled or proper input validation is in place.

🌐 Internet-Facing: HIGH - NGINX is commonly internet-facing and autoindex may be enabled for directory listings.

🏢 Internal Only: MEDIUM - Internal NGINX instances could still be exploited if autoindex is enabled.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires triggering autoindex on a directory containing files with malformed modification dates. Public proof-of-concept demonstrates crash/DoS.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.13.6 and later

Vendor Advisory: http://nginx.org/en/CHANGES

Restart Required: Yes

Instructions:

1. Update NGINX to version 1.13.6 or later. 2. For package managers: 'apt-get update && apt-get upgrade nginx' (Debian/Ubuntu) or 'yum update nginx' (RHEL/CentOS). 3. Restart NGINX: 'systemctl restart nginx' or 'service nginx restart'.

🔧 Temporary Workarounds

Disable autoindex module

linux

Remove or comment out 'autoindex on;' directives in NGINX configuration files.

sed -i 's/autoindex on;/# autoindex on;/g' /etc/nginx/nginx.conf
sed -i 's/autoindex on;/# autoindex on;/g' /etc/nginx/sites-enabled/*

🧯 If You Can't Patch

Disable autoindex module in all NGINX configurations immediately
Implement WAF rules to block requests triggering autoindex with suspicious date parameters

🔍 How to Verify

Check if Vulnerable:

Check NGINX version and autoindex configuration: 'nginx -v 2>&1' and grep for 'autoindex on;' in /etc/nginx/

Check Version:

nginx -v 2>&1

Verify Fix Applied:

Confirm NGINX version is 1.13.6+: 'nginx -v 2>&1 | grep 1.13' and verify autoindex remains disabled if using workaround.

📡 Detection & Monitoring

Log Indicators:

NGINX process crashes in system logs
High volume of requests to directories with autoindex enabled
Error logs showing buffer overflow or segmentation fault

Network Indicators:

Unusual HTTP requests to directory listings with malformed parameters
Sudden service unavailability on NGINX ports

SIEM Query:

source="nginx" AND (error OR crash OR segfault) AND autoindex

📊 Metadata

CVE ID: CVE-2017-20005

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-190

Published: June 6, 2021

Last Updated: December 5, 2025

🔗 References

http://nginx.org/en/CHANGES Release Notes,Vendor Advisory
https://github.com/nginx/nginx/commit/0206ebe76f748bb39d9de4dd4b3fce777fdfdccf Patch,Third Party Advisory
https://github.com/nginx/nginx/commit/b900cc28fcbb4cf5a32ab62f80b59292e1c85b4b Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/06/msg00009.html Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20210805-0006/ Third Party Advisory
https://trac.nginx.org/nginx/ticket/1368 Exploit,Patch,Vendor Advisory
http://nginx.org/en/CHANGES Release Notes,Vendor Advisory
https://github.com/nginx/nginx/commit/0206ebe76f748bb39d9de4dd4b3fce777fdfdccf Patch,Third Party Advisory
https://github.com/nginx/nginx/commit/b900cc28fcbb4cf5a32ab62f80b59292e1c85b4b Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/06/msg00009.html Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20210805-0006/ Third Party Advisory
https://trac.nginx.org/nginx/ticket/1368 Exploit,Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-20005, you might also want to check these: