PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55233 openresty CVE debrief

CVE-2026-55233 is an out-of-bounds write vulnerability in OpenResty PROXY protocol v2 implementation. The issue exists from version 1.29.2.1 to before 1.29.2.5. When OpenResty is configured to send PROXY protocol version 2 headers to upstream servers, constructing the header in the stream proxy protocol v2 patch can write beyond the bounds of the allocated buffer, causing the worker process to crash and resulting in a denial of service. Only configurations that explicitly enable PROXY protocol v2 for upstream connections are impacted. This issue is fixed in version 1.29.2.5.

Vendor
openresty
Product
Unknown
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Users of OpenResty who have configured PROXY protocol v2 for upstream connections should be aware of this vulnerability and take steps to remediate. This includes reviewing configurations, ensuring that PROXY protocol v2 is not enabled for upstream connections unless necessary, and monitoring OpenResty logs for potential denial of service attacks. Additionally, users should review the official CVE record and OpenResty documentation for more information.

Technical summary

The vulnerability exists in the upstream PROXY protocol v2 implementation in OpenResty. When OpenResty is configured to send PROXY protocol version 2 headers to upstream servers, constructing the header in the stream proxy protocol v2 patch can write beyond the bounds of the allocated buffer. This can cause the worker process to crash and result in a denial of service. The issue is fixed in version 1.29.2.5. Users should review the official CVE record and OpenResty documentation for more information.

Defensive priority

High

Recommended defensive actions

  • Upgrade to OpenResty version 1.29.2.5 or later
  • Review and update OpenResty configurations to ensure PROXY protocol v2 is not enabled for upstream connections unless necessary
  • Monitor OpenResty logs for potential denial of service attacks
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-10T21:16:55.760Z and has not been modified since then. The NVD entry is currently 7.5 HIGH. Limited information is available about the vulnerability, and users are advised to review the official CVE record and OpenResty documentation for more information. The vulnerability exists in the upstream PROXY protocol v2 implementation in OpenResty, and constructing the header in the stream proxy protocol v2 patch can write beyond the bounds of the allocated buffer, causing the worker process to crash and resulting in a denial of service.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T21:16:55.760Z and has not been modified since then.