RCE Proof of concept for CVE-2026-42945, a critical heap buffer overflow in NGINX's ngx_http_rewrite_module introduced in 2008. The bug enables unauthenticated remote code execution against servers using rewrite and set directives.
This vulnerability — along with three other memory corruption issues (CVE-2026-42946, CVE-2026-40701, CVE-2026-42934) — was autonomously discovered by depthfirst's security analysis system after a single click of onboarding the NGINX source.
Want to find issues like this in your own code? Try the same system at https://depthfirst.com/open-defense.
NGINX's script engine uses a two-pass process: first compute the required buffer size, then copy data in. The is_args flag is set on the main engine when a rewrite replacement contains ?, but the length-calculation pass runs on a freshly zeroed sub-engine. So:
- Length pass sees
is_args = 0→ returns raw capture length. - Copy pass sees
is_args = 1→ callsngx_escape_uriwithNGX_ESCAPE_ARGS, expanding each escapable byte to 3 bytes.
The copy overflows the undersized heap buffer with attacker-controlled URI data. Exploitation uses cross-request heap feng shui to corrupt an adjacent ngx_pool_t's cleanup pointer (sprayed via POST bodies, since URI bytes can't contain null bytes), redirecting it to a fake ngx_pool_cleanup_s invoking system() on pool destruction.
Read more about this bug in our technical write-up.
| Product | Affected | Fixed in |
|---|---|---|
| NGINX Open Source | 0.6.27 – 1.30.0 | 1.31.0, 1.30.1 |
| NGINX Plus | R32 – R36 | R36 P4, R35 P2, R32 P6 |
Full vendor advisory: https://my.f5.com/manage/s/article/K000160932
Tested on Ubuntu 24.04.3 LTS.
./setup.sh— build the container.docker compose -f env/docker-compose.yml up— start the vulnerable NGINX server.python3 poc.py --shell— pop a shell.