NGINX HTTP/3 QUIC source IP spoofing

Successful exploitation allows an attacker to appear to originate from a different IP address than their real source. This can bypass IP-based authorization controls and evade or defeat rate-limiting mechanisms that key on client source address. Depending on deployment, this may also reduce the effectiveness of logging, abuse prevention, geofencing, reputation-based filtering, and other policy decisions derived from client IP identity.

If immediate patching is not possible, disable HTTP/3/QUIC support and serve traffic over HTTP/1.1 and/or HTTP/2 only until the fix can be deployed. Avoid relying solely on client source IP for authorization or rate limiting on affected HTTP/3 listeners; where feasible, add compensating controls such as authentication-based access decisions, upstream filtering, or rate limiting keyed on stronger identifiers. Review logs and monitoring for anomalous HTTP/3 activity from apparently trusted or rate-limited addresses.

Upgrade NGINX to a fixed release. The provided context indicates fixes are included in nginx 1.30.1 (stable) and 1.31.0 (mainline). For NGINX Plus, apply the vendor-provided update containing the fix for CVE-2026-40460. Software versions that have reached End of Technical Support are noted as not evaluated, so supported fixed builds should be used.