PatchSiren cyber security CVE debrief
CVE-2026-55233 openresty CVE debrief
CVE-2026-55233 is an out-of-bounds write vulnerability in OpenResty PROXY protocol v2 implementation. The issue exists from version 1.29.2.1 to before 1.29.2.5. When OpenResty is configured to send PROXY protocol version 2 headers to upstream servers, constructing the header in the stream proxy protocol v2 patch can write beyond the bounds of the allocated buffer, causing the worker process to crash and resulting in a denial of service. Only configurations that explicitly enable PROXY protocol v2 for upstream connections are impacted. This issue is fixed in version 1.29.2.5.
- Vendor
- openresty
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Users of OpenResty who have configured PROXY protocol v2 for upstream connections should be aware of this vulnerability and take steps to remediate. This includes reviewing configurations, ensuring that PROXY protocol v2 is not enabled for upstream connections unless necessary, and monitoring OpenResty logs for potential denial of service attacks. Additionally, users should review the official CVE record and OpenResty documentation for more information.
Technical summary
The vulnerability exists in the upstream PROXY protocol v2 implementation in OpenResty. When OpenResty is configured to send PROXY protocol version 2 headers to upstream servers, constructing the header in the stream proxy protocol v2 patch can write beyond the bounds of the allocated buffer. This can cause the worker process to crash and result in a denial of service. The issue is fixed in version 1.29.2.5. Users should review the official CVE record and OpenResty documentation for more information.
Defensive priority
High
Recommended defensive actions
- Upgrade to OpenResty version 1.29.2.5 or later
- Review and update OpenResty configurations to ensure PROXY protocol v2 is not enabled for upstream connections unless necessary
- Monitor OpenResty logs for potential denial of service attacks
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-10T21:16:55.760Z and has not been modified since then. The NVD entry is currently 7.5 HIGH. Limited information is available about the vulnerability, and users are advised to review the official CVE record and OpenResty documentation for more information. The vulnerability exists in the upstream PROXY protocol v2 implementation in OpenResty, and constructing the header in the stream proxy protocol v2 patch can write beyond the bounds of the allocated buffer, causing the worker process to crash and resulting in a denial of service.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T21:16:55.760Z and has not been modified since then.