![](data:image/svg+xml;charset=utf-8,<svg height="300" width="500" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)
Today we are releasing updates to NGINX Open Source and NGINX Plus in response to the recent discovery of vulnerabilities in many implementations of HTTP/2. We strongly recommend upgrading all systems that have HTTP/2 enabled.
In May 2019, researchers at Netflix discovered a number of security vulnerabilities in several HTTP/2 server implementations. These were responsibly reported to each of the vendors and maintainers concerned. NGINX was vulnerable to three attack vectors, as detailed in the following CVEs:
- CVE-2019-9511 (Data dribble)
- CVE-2019-9513 (Resource loop)
- CVE-2019-9516 (Zero‑length headers leak)
We have addressed these vulnerabilities, and added other HTTP/2 security safeguards, in the following NGINX versions:
- NGINX 1.16.1 (stable)
- NGINX 1.17.3 (mainline)
- NGINX Plus R18 P1