New Nginx Exploit

Notifications You must be signed in to change notification settings
Fork 86
Star 480

Code
Issues 0
Pull requests 0
Actions
Projects
Security and quality 0
Insights

Additional navigation options mainBranchesTagsGo to fileCodeOpen more actions menu

Folders and files

Name	Name	Last commit message	Last commit date
Latest commit History 3 Commits3 Commits
env	env
README.md	README.md
poc.py	poc.py
setup.sh	setup.sh
View all files

Repository files navigation

README

RCE Proof of concept for CVE-2026-42945, a critical heap buffer overflow in NGINX's ngx_http_rewrite_module introduced in 2008. The bug enables unauthenticated remote code execution against servers using rewrite and set directives.

This vulnerability — along with three other memory corruption issues (CVE-2026-42946, CVE-2026-40701, CVE-2026-42934) — was autonomously discovered by depthfirst's security analysis system after a single click of onboarding the NGINX source.

Want to find issues like this in your own code? Try the same system at https://depthfirst.com/open-defense.

NGINX's script engine uses a two-pass process: first compute the required buffer size, then copy data in. The is_args flag is set on the main engine when a rewrite replacement contains ?, but the length-calculation pass runs on a freshly zeroed sub-engine. So:

Length pass sees is_args = 0 → returns raw capture length.
Copy pass sees is_args = 1 → calls ngx_escape_uri with NGX_ESCAPE_ARGS, expanding each escapable byte to 3 bytes.

The copy overflows the undersized heap buffer with attacker-controlled URI data. Exploitation uses cross-request heap feng shui to corrupt an adjacent ngx_pool_t's cleanup pointer (sprayed via POST bodies, since URI bytes can't contain null bytes), redirecting it to a fake ngx_pool_cleanup_s invoking system() on pool destruction.

Read more about this bug in our technical write-up.

Product	Affected	Fixed in
NGINX Open Source	0.6.27 – 1.30.0	1.31.0, 1.30.1
NGINX Plus	R32 – R36	R36 P4, R35 P2, R32 P6

Full vendor advisory: https://my.f5.com/manage/s/article/K000160932

Tested on Ubuntu 24.04.3 LTS.

./setup.sh — build the container.
docker compose -f env/docker-compose.yml up — start the vulnerable NGINX server.
python3 poc.py --shell — pop a shell.

About

exploit for CVE-2026-42945

Resources

Readme

Uh oh!

There was an error while loading. Please reload this page.

Activity

Stars

480 stars

Watchers

2 watching

Forks

86 forks Report repository

Releases

No releases published

Packages 0

Uh oh!

There was an error while loading. Please reload this page.

Contributors

Uh oh!

There was an error while loading. Please reload this page.

Languages

Python 92.6%
Shell 7.4%

New Nginx Exploit

Folders and files

Latest commit

History

Repository files navigation

About

Resources

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Uh oh!

Contributors

Uh oh!

Languages