Tell HN: A new Nginx 0-day just dropped

A fresh security scare just hit the internet’s favorite workhorse: Nginx, the web server software that helps power a huge chunk of the web. Security firm Nebula says it found a bug so nasty it could let attackers take over affected servers from afar, and warned that some Fortune 500 companies could be exposed. The catch, as quickly pointed out in the Hacker News discussion, is that this isn’t a everyone-panic-right-now situation for every Nginx user. According to the post, you’re mainly in danger if you’re running the newest versions and have a newer speed feature called HTTP/3 turned on.

That nuance is exactly where the comment drama kicked in. One commenter went straight to full disaster mode, saying they’d assume the bug is already being actively exploited, which is the kind of sentence that makes sleep schedules vanish instantly. Another pushed back with the cold-water reply that “QUIC isn’t enabled by default,” basically translating to: yes, this is bad, but no, the sky is not falling for everybody. That split became the whole vibe of the thread: one side sounding the alarm, the other trying to stop admins from sprinting in circles.

And then there’s the quiet subplot: Nebula casually mentioning this is the second Nginx remote-takeover bug it found in a month, plus a plug for its own tool. So the comments read like a mix of emergency dispatch, fact-check squad, and side-eye at startup launch timing.