ngx_http_rewrite_module, a component that handles URL rewrites, and impacts Nginx versions from 0.6.27 to 1.30.0. The issue has been given a 9.2 CVSS severity score and was patched in versions 1.31.0 and 1.30.1.The commercial product, Nginx Plus, owned and developed by network and application security firm F5, is also vulnerable, and received patches in versions R36 P4, R32 P6 and 37.0.0. Other F5 products based on Nginx open source and Nginx Plus are impacted, but have not yet received updates, including Nginx Instance Manager, F5 WAF for Nginx, Nginx App Protect WAF, F5 DoS for Nginx, Nginx App Protect DoS, Nginx Gateway Fabric, and Nginx Ingress Controller.”This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?),” F5 said in its advisory. According to the company, exploitation will result in a denial of service condition in the form of a server crash and, on systems with Address Space Layout Randomization (ASLR ) disabled, arbitrary code execution. While the proof-of-concept (PoC) exploit developed by DepthFirst and shared with F5 did not include an ASLR bypass, the researchers believe it is possible to achieve one. ASLR is a memory corruption exploit mitigation technology that’s present and enabled by default in most modern operating systems.”Nginx uses a multi process architecture where worker processes fork from a single master process,” DepthFirst researcher Zhenpeng Lin said in a blog post. “Because of this design, the memory space is duplicated exactly for every child worker. This means the heap layout remains entirely deterministic across different workers. If our exploit fails and crashes a worker, the master process simply spawns a new one with the exact same memory layout. This allows us to safely try multiple times until we succeed without worrying about the worker crashing and changing the memory layout. Theoretically, we could leverage this design to leak ASLR by progressively overwriting pointers byte by byte.”The researchers also believe the Nginx configurations required to exploit this vulnerability are common. For example, URL rewrite rules are often used when migrating APIs endpoints to new locations without causing disruptions to external clients that still try to query the old URL. The set directive can be used to store the original path, or parts of it, in a custom variable to maintain state, route endpoints dynamically, or to pass it to the backend application for audit and logging purposes.”Together, these two directives are common building blocks in API gateway configurations,” Lin said.Since the proof-of-concept exploit has been published on GitHub, users are advised to upgrade to a patched version as soon as possible, as Nginx vulnerabilities have been exploited by attackers in the past. Denial of service alone is a serious risk to web servers, even without the ASLR bypass posited by the researchers.The other three vulnerabilities disclosed by DepthFirst and patched in the new Nginx releases can also lead to denial of service, memory leaks, or data modification. They are tracked as CVE-2026-42946 (CVSS 8.3 high severity), CVE-2026-42934 (CVSS 6.3 medium) and CVE-2026-40701 (CVSS 6.3 medium).
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4171437/ai-agent-finds-18-year-old-remote-code-execution-flaw-in-nginx.html
