If your production stack includes Nginx — and statistically, it almost certainly does — you need to stop what you are doing and patch. CVE-2026-42945, dubbed Nginx Rift, is a critical heap buffer overflow in the ngx_http_rewrite_module that enables unauthenticated remote code execution. It affects every Nginx Open Source release from 0.6.27 through 1.30.0 and Nginx Plus R32 through R36. That is nearly two decades of deployments.
This is not a theoretical concern. The proof-of-concept is public, the vulnerability is trivially exploitable on common configurations, and any server using rewrite or set directives — which describes the overwhelming majority of Nginx deployments — is a target.
TL;DR
- CVE-2026-42945 (Nginx Rift) is a critical heap buffer overflow in Nginx’s rewrite module enabling unauthenticated remote code execution.
- Affected versions span Nginx Open Source 0.6.27–1.30.0 and Nginx Plus R32–R36 — nearly every production deployment.
- The root cause is a length-calculation/copy-phase mismatch in URI escape handling during rewrite processing.
- Exploitation uses cross-request heap manipulation to hijack pool cleanup pointers and execute arbitrary commands.
- Patch immediately to Nginx 1.31.0/1.30.1 or Nginx Plus R36 P4/R35 P2/R32 P6. If you cannot patch, disable rewrite rules or deploy a WAF as a stopgap.
What Makes Nginx Rift So Dangerous
Nginx powers roughly a third of the internet. It sits in front of application servers, handles TLS termination, routes traffic, and rewrites URLs — often all at once. The rewrite module is not some obscure optional extra; it is one of the most commonly used features in any Nginx configuration. If you have a rewrite directive or a set variable in your nginx.conf, you are exposed.
The severity is compounded by the attack surface. Nginx is, by definition, internet-facing. There is no authentication requirement to trigger the vulnerability. An attacker simply needs to craft a malicious request that hits a rewrite rule — something that can be automated at scale in minutes.
The Technical Root Cause
The vulnerability sits in a subtle mismatch between two phases of Nginx’s rewrite engine.
When Nginx processes a rewrite rule, it performs a two-pass operation. First, it calculates how much memory to allocate for the rewritten URI. Second, it copies the data into that allocated buffer. The problem is that these two passes operate on different engine states.
During the length-calculation phase, the engine runs on a zeroed sub-engine where the is_args flag remains unset. The calculation returns the raw capture length — the literal byte count of the captured URI segment. However, during the copy phase, the main engine is active, and is_args is set. This causes ngx_escape_uri to be invoked with NGX_ESCAPE_ARGS, which expands each escapable byte into a three-byte percent-encoded sequence.
The result: the copy phase writes more data than the buffer was sized to hold. A classic heap buffer overflow.
From Overflow to Code Execution
A heap overflow on its own is dangerous but not always exploitable. What makes Nginx Rift particularly nasty is the exploitation technique. Attackers use cross-request heap manipulation — spraying POST request bodies to arrange the heap so that the overflow corrupts an adjacent memory pool’s cleanup pointer. That pointer is redirected to a fabricated cleanup structure which calls system() during pool destruction.
In plain terms: the attacker sends a carefully crafted series of requests, and when Nginx cleans up its internal memory, it unwittingly executes the attacker’s command. No authentication. No file upload. No user interaction. Just HTTP requests.
Who Is Affected
The scope is enormous:
- Nginx Open Source versions 0.6.27 through 1.30.0
- Nginx Plus versions R32 through R36
- Any configuration using
rewrite,set, or related directives in the rewrite module
If you are running Nginx as a reverse proxy with URL rewriting (which is the default pattern for most application deployments), you are almost certainly vulnerable. This includes containerised deployments, Kubernetes ingress controllers using Nginx, and cloud load balancers built on Nginx.
What You Need to Do Right Now
1. Patch Immediately
Upgrade to the fixed versions:
- Nginx Open Source: 1.31.0 or 1.30.1
- Nginx Plus: R36 P4, R35 P2, or R32 P6
This is not a “schedule it for the next maintenance window” situation. The PoC is public. Treat this as a P0 incident.
2. Audit Your Configurations
Run a quick audit across your fleet:
grep -rn 'rewrite\|set \$' /etc/nginx/ --include='*.conf'Any configuration file that contains rewrite directives or set variable assignments is potentially exploitable. In practice, this means almost every non-trivial Nginx deployment.
3. Deploy Interim Mitigations If You Cannot Patch
If an immediate upgrade is not possible (and it should be — but we understand reality), consider these stopgaps:
- WAF rules: Deploy rules to inspect and sanitise URI components that would trigger escape expansion in rewrite processing.
- Disable rewrite rules: If feasible, temporarily convert rewrite-based routing to alternative mechanisms. This is rarely practical in production, but worth evaluating for critical systems.
- Network segmentation: Restrict which networks can reach your Nginx instances while you plan the upgrade.
4. Check for Signs of Exploitation
Review your access logs for unusual request patterns — specifically, requests with heavily encoded URI segments targeting paths with known rewrite rules. Look for abnormal POST body sizes in combination with rewrite-triggering URIs. If you have core dumps enabled, check for unexpected Nginx worker crashes, which may indicate failed exploitation attempts.
The Bigger Picture: Reverse Proxy Security
Nginx Rift is a stark reminder that your reverse proxy is not just a traffic director — it is an attack surface. Teams often treat Nginx as infrastructure furniture: configure it once, forget about it. But a vulnerability in the component that sits in front of everything else is, by definition, a vulnerability in everything behind it.
This should prompt a broader conversation about reverse proxy hygiene:
- Version tracking: Do you actually know which Nginx version is running across every environment? Including that container image your CI pipeline built eighteen months ago?
- Configuration drift: Are your Nginx configs managed through Infrastructure as Code, or are there hand-edited configurations sitting on production servers?
- Update cadence: When was the last time you proactively updated Nginx, as opposed to waiting for a CVE to force your hand?
- Defence in depth: If your reverse proxy is compromised, what else falls? If the answer is “everything”, your architecture needs rethinking.
How REPTILEHAUS Can Help
Infrastructure security is not something you bolt on after a CVE drops. At REPTILEHAUS, our DevOps and security teams help organisations build infrastructure that is auditable, patchable, and resilient by design — from Infrastructure as Code pipelines that ensure consistent, version-controlled deployments to security hardening reviews that catch misconfigurations before attackers do.
If Nginx Rift has exposed gaps in your infrastructure management, or if you need help auditing and hardening your deployment pipeline, get in touch. We would rather help you build it right than help you recover from a breach.
📷 Photo by Albert Stoynov (@albertstoynov) on Unsplash
