Nginx Redirect Header Injection - Vulnerability Database

Nginx Redirect Header Injection

Description

Nginx web servers that use the $uri or $document_uri variables in HTTP redirect configurations are vulnerable to header injection attacks. These variables contain URL-decoded and normalized URI values, which allows attackers to inject CRLF (Carriage Return Line Feed) characters through specially crafted URLs. This misconfiguration enables manipulation of HTTP response headers sent by the server.

Remediation

Replace the use of $uri and $document_uri variables with $request_uri in all redirect configurations. The $request_uri variable contains the original, unmodified request URI which prevents CRLF injection attacks.

Vulnerable configuration example:

location / {
    return 302 https://example.com$uri;
}

Secure configuration example:

location / {
    return 302 https://example.com$request_uri;
}

After making changes, test the configuration with nginx -t and reload nginx with nginx -s reload. Verify that redirects work correctly and that URLs containing encoded characters like %0d%0a are properly rejected or sanitized.