mod_pagespeed and ngx_pagespeed Security Advisory: SSL fetching man-in-the-middle attack.


June 17th, 2014

Versions Affected:
  • mod_pagespeed through (fixed in
  • mod_pagespeed and ngx_pagespeed through (fixed in

Some versions of mod_pagespeed and ngx_pagespeed, in order to support fetching of HTTPS content, link in versions of OpenSSL that are vulnerable to a man-in-the-middle attack. This attack permits an adversary that can monitor and alter traffic between a client (mod_pagespeed or ngx_pagespeed in this case) and a server to decrypt and modify encrypted transfers, as long as both are running vulnerable versions (see CVE-2014-0224 for more detail).

mod_pagespeed and ngx_pagespeed users are only vulnerable if they turn on the optional FetchHttps feature.


For mod_pagespeed, update to one of versions, or newer.

For ngx_pagespeed, update to or newer.


Use a method other than FetchHttps to fetch https content, as described in HTTP Support documentation.