18-year-old flaw in NGINX ngx_http_rewrite_module enables unauthenticated RCE (CVE-2026-42945)

Colleagues, please note: a critical NGINX vulnerability has been disclosed.
Researchers depthfirst reported a heap buffer overflow in ngx_http_rewrite_module (CVE-2026-42945, CVSS 9.2). A specially crafted HTTP request may result in remote code execution or denial of service.
Both NGINX Open Source and NGINX Plus are affected; patches are available (e.g. R32+/1.30.1+). Three additional vulnerabilities in other modules were also fixed.
If you cannot upgrade immediately, mitigate by replacing unnamed captures ($1, $2) with named captures in rewrite directives.
Why it matters: exploitable without authentication and may compromise operational workflows.
How will you respond in your environment?
#cybersecurity #NGINX #vulnerabilities #AppSec


Latest comments
No comments yet.