release-1.31.0
📦 nginxView on GitHub →
✨ 8 features🐛 13 fixes🔧 7 symbols
Summary
Nginx 1.31.0 mainline release addresses numerous critical security vulnerabilities across various modules and introduces support for HTTP forward proxy and least_time load balancing.
Migration Steps
- If using upstream sticky module, note that a synonym for the option has been added in configure.
✨ New Features
- Support for HTTP forward proxy.
- Connection specific headers.
- Restrict duplicate TE headers in HTTP/2 and HTTP/3.
- HTTP/3: optimize encoder stream memory usage.
- Stream: support ALPN for proxy_ssl upstream.
- Added synonym for the upstream sticky module option in configure.
- Upstream: least_time load balancing for HTTP and stream.
- HTTP CONNECT proxy support.
🐛 Bug Fixes
- Fixes HTTP/2 request injection vulnerability in ngx_http_proxy_module (CVE-2026-42926).
- Fixes buffer overflow vulnerability in ngx_http_rewrite_module (CVE-2026-42945).
- Fixes buffer overread vulnerabilities in ngx_http_scgi_module and ngx_http_uwsgi_module (CVE-2026-42946).
- Fixes buffer overread vulnerability in ngx_http_charset_module (CVE-2026-42934).
- Fixes address spoofing vulnerability in HTTP/3 (CVE-2026-40460).
- Fixes use-after-free vulnerability in OCSP requests to resolver (CVE-2026-40701).
- SSL: logging level fixes.
- SSL: log SSL_R_RECORD_LAYER_FAILURE at info level.
- Prevent Undefined Behaviour in memcpy(3) via ngx_init_cycle().
- Configure: fix gcc version detection in some corner cases.
- Request body: fixed empty body buffering special case.
- Proxy: fix keepalive for HTTP/2 when no body is specified.
- Reject HTTP CONNECT method with no port after colon.