Critical Unauthenticated RCE in NGINX Rewrite Module (CVE‑2026‑42945) Exposes 18‑Year‑Old Flaw
What It Is – Researchers from the depthfirst team uncovered a heap‑buffer‑overflow in ngx_http_rewrite_module that has existed in NGINX Open Source and NGINX Plus for 18 years. The flaw (CVE‑2026‑42945) allows an unauthenticated attacker to execute arbitrary code on the web server host.
Exploitability – The vulnerability is rated CVSS 4.0 9.2 (Critical). Public proof‑of‑concept code has been released, and early testing shows reliable remote code execution without credentials. No known active ransomware‑oriented campaigns yet, but the exploit is trivial to weaponize.
Affected Products – NGINX Open Source 1.0 through 1.27 (all supported branches) and NGINX Plus 1.0 through 1.27. The issue resides in the core ngx_http_rewrite_module used for URL rewriting and conditional routing.
TPRM Impact –
- Any third‑party service that relies on NGINX as a reverse‑proxy, load balancer, or API gateway inherits the same RCE risk.
- Compromise of a single NGINX instance can provide attackers lateral movement into downstream applications, exposing data across the supply chain.
- Organizations that embed NGINX in SaaS platforms, CI/CD pipelines, or edge‑computing appliances face heightened breach probability.
Recommended Actions –
- Deploy the vendor‑released patches (NGINX 1.27.4 or later) immediately across all environments.
- Verify the patch level on every host, including container images, VM snapshots, and managed‑service instances.
- Enable strict request‑size limits and WAF rules that block unexpected large rewrite payloads while patches are applied.
- Conduct a rapid inventory of all third‑party vendors that expose NGINX endpoints and request proof of remediation.
- Monitor logs for abnormal
rewritemodule activity (e.g., unusually large$urivalues or malformed regex patterns).
Source: The Hacker News – 18‑Year‑Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE