Nginx 1.15.6 is a widely-used web server powering over 281 websites worldwide, but recent security assessments have uncovered serious vulnerabilities that put your site at risk. Three CVEs have been identified in this version, including two high-severity flaws that could allow attackers to exploit HTTP/2 implementation weaknesses. If your website runs Nginx 1.15.6, immediate action is required to protect your infrastructure from potential memory exhaustion, CPU overload, and data disclosure attacks.
This comprehensive guide will help you understand these vulnerabilities, identify if your server is affected, and walk you through the upgrade process step-by-step. We'll explain the technical details in plain language so you can make informed decisions about your web server security.
Nginx is one of the most popular open-source web servers globally, handling everything from static website files to complex application requests. Version 1.15.6 was released as a development branch update in 2018 and is still running on hundreds of production websites today. Nginx is preferred by many administrators because it's lightweight, fast, and can handle thousands of concurrent connections efficiently.
However, like all software, Nginx 1.15.6 has security weaknesses that were discovered after its release. These vulnerabilities specifically affect the HTTP/2 module and the MP4 video module—features that many modern websites use to deliver content faster and stream media files. Running an outdated version leaves your website vulnerable to attacks that could crash your server, consume excessive resources, or expose sensitive data.
3 CVEs found. The most critical are explained below.
This vulnerability affects websites using Nginx with HTTP/2 enabled. An attacker can send specially crafted requests that force your server to consume excessive memory, similar to filling up a tank beyond its capacity.
Impact: Your website could slow down dramatically or crash entirely, making it unavailable to legitimate customers and visitors.
↗ View on NVDSimilar to the memory issue, this vulnerability in HTTP/2 allows attackers to send requests that force your server's processor to work excessively hard, like revving a car engine to the maximum.
Impact: Your website becomes slow and unresponsive for all users, effectively taking your site offline even though it's technically running.
↗ View on NVDThis vulnerability only affects servers that serve MP4 video files through Nginx. An attacker can upload or reference a malicious MP4 file that crashes the server process.
Impact: Your video streaming or media content could be disrupted, and attackers might potentially access sensitive information from server memory.
↗ View on NVDScan your site in 30 seconds. Used by 500+ web agencies.
The three CVEs affecting Nginx 1.15.6—CVE-2018-16843, CVE-2018-16844, and CVE-2018-16845—represent genuine security risks that could compromise your website's performance and visitor data. With 281 websites still running this vulnerable version, you're not alone in facing this challenge, but that also means attackers are actively looking for unpatched servers. Upgrading to a newer version of Nginx takes just minutes and will eliminate these security holes permanently.
Don't wait until an attack happens. Use SiteRecipe.com's comprehensive security scanning tools to identify vulnerabilities across your entire web infrastructure, monitor your server health in real-time, and receive alerts when new CVEs are discovered. Our platform makes it easy to track version updates and ensure you're always running secure, optimized software. Start your free security audit today at SiteRecipe.com and gain peace of mind knowing your website is protected.
Web agencies use SiteRecipe to produce branded PDF security reports in 30 seconds.