OpenResty 1.29.2.4 is a patch release that backports fixes for five security vulnerabilities (CVEs) in the NGINX core, spanning core components such as HTTP/3, the Rewrite module, and OCSP. Please upgrade to 1.29.2.4 as soon as possible.

The source code distribution, the Win32/Win64 binary distributions, and the pre-built binary Linux packages for Ubuntu, Debian, Fedora, CentOS, RHEL, OpenSUSE, Amazon Linux are provided on this Download page.

Version highlights

1. Backported security patches for the NGINX core (CVE-2026-42945): fixed a buffer overflow in ngx_http_rewrite_module.
2. Backported security patches for the NGINX core (CVE-2026-42946): fixed out-of-bounds reads in ngx_http_scgi_module and ngx_http_uwsgi_module.
3. Backported security patches for the NGINX core (CVE-2026-42934): fixed an out-of-bounds read in ngx_http_charset_module.
4. Backported security patches for the NGINX core (CVE-2026-40460): fixed an HTTP/3 address spoofing vulnerability.
5. Backported security patches for the NGINX core (CVE-2026-40701): fixed a parser use-after-free in OCSP.

Full Change logs

For the complete information, see the changelog.

Feedback

Feedback on this release is welcome. Feel free to create new GitHub issues, send email to one of our mailing lists, or discuss on our forum.