Skip to content

fix: mitigate httpoxy vulnerability (CVE-2016-5385) in nginx config#40680

Open
lbajsarowicz wants to merge 1 commit intomagento:2.4-developfrom
lbajsarowicz:fix/nginx-httpoxy-mitigation
Open

fix: mitigate httpoxy vulnerability (CVE-2016-5385) in nginx config#40680
lbajsarowicz wants to merge 1 commit intomagento:2.4-developfrom
lbajsarowicz:fix/nginx-httpoxy-mitigation

Conversation

@lbajsarowicz
Copy link
Copy Markdown
Contributor

@lbajsarowicz lbajsarowicz commented Apr 10, 2026

Description

Mitigate the httpoxy vulnerability (CVE-2016-5385) in the sample Nginx configuration by clearing the Proxy request header before it reaches PHP-FPM.

Problem

When Nginx passes a request to PHP-FPM via FastCGI, any Proxy: HTTP request header is automatically mapped to the HTTP_PROXY environment variable by the CGI specification. A malicious client can send a crafted Proxy: header to redirect outbound HTTP requests made by PHP (via Guzzle, cURL, or file_get_contents) through an attacker-controlled proxy.

This affects any PHP code that respects the HTTP_PROXY environment variable, including:

  • Guzzle HTTP client (used extensively by Magento for payment gateways, shipping providers, etc.)
  • PHP's native stream wrapper with file_get_contents
  • Any library that reads HTTP_PROXY for proxy configuration

The Varnish VCL templates already mitigate this (see #40654), but the Nginx sample config does not.

Solution

Add fastcgi_param HTTP_PROXY ""; to all three FastCGI pass blocks in nginx.conf.sample:

  • Setup application (/setup)
  • Update application (/update)
  • Main application (PHP entry point)

This ensures the HTTP_PROXY environment variable is always empty regardless of client-supplied headers.

References

Files Changed

  • nginx.conf.sample

⭐ Support my work

Do you like the fix? Remember to react with "👍🏻" to get it merged faster,
Then Sponsor me on Github so I can spend more time on fixing issues like this one.

Learn more at https://github.com/sponsors/lbajsarowicz

@m2-assistant
Copy link
Copy Markdown

m2-assistant bot commented Apr 10, 2026

Hi @lbajsarowicz. Thank you for your contribution!
Here are some useful tips on how you can test your changes using Magento test environment.
❗ Automated tests can be triggered manually with an appropriate comment:

  • @magento run all tests - run or re-run all required tests against the PR changes
  • @magento run <test-build(s)> - run or re-run specific test build(s)
    For example: @magento run Unit Tests

<test-build(s)> is a comma-separated list of build names.

Allowed build names are:
  1. Database Compare
  2. Functional Tests CE
  3. Functional Tests EE
  4. Functional Tests B2B
  5. Integration Tests
  6. Magento Health Index
  7. Sample Data Tests CE
  8. Sample Data Tests EE
  9. Sample Data Tests B2B
  10. Static Tests
  11. Unit Tests
  12. WebAPI Tests
  13. Semantic Version Checker

You can find more information about the builds here
ℹ️ Run only required test builds during development. Run all test builds before sending your pull request for review.

For more details, review the Code Contributions documentation.
Join Magento Community Engineering Slack and ask your questions in #github channel.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lbajsarowicz