A high-risk vulnerability exists in NGINX. You only need to send a specially crafted HTTP request to take down the server.

NGINX, owned by F5, is a highly used reverse proxy server in the world. NGINX is also a critical infrastructure of the global Internet. Now a security research company has disclosed a high-risk security vulnerability in the software. The vulnerability is numbered CVE-2026-42945. There is a heap buffer overflow problem in the NGINX script engine that has been in existence for 18 years.

An attacker only needs to send a carefully constructed HTTP request to an exposed NGINX server to remotely take over the server. NGINX accounts for nearly 30% of the core global website server and reverse proxy fields, so this vulnerability may affect a large number of Internet services.

Affects NGINX ontology and multiple derivatives:

This vulnerability was originally introduced in NGINX version 0.6.27 released in 2008. After that, the vulnerability was not discovered for a long time and has been lurking until now. This vulnerability affects NGINX versions 0.6.27~1.30.0, and also affects various NGINX derivatives provided by F5 to commercial customers. Affected derivative products include but are not limited to NGINX WAF, F5 WAF, NGINX Gateway Fabric, NGINX Ingress Controller, etc.

The triggering conditions of the vulnerability are very hidden. When the following two instructions appear in the NGINX configuration file at the same time, the vulnerability will be activated:

rewrite ^/api/(.*)$ /internal?migrated=true;  # 重写规则末尾带 “?” set $original_endpoint $1;                     # 使用正则捕获组

The research team that discovered the vulnerability pointed out that the root cause of the vulnerability lies in the script engine (ngx_http_script.c) of ngx_http_rewrite_module. When the rewrite instruction contains a question mark, the persistent is_args flag is set, but in the subsequent set instruction length calculation phase, the engine uses a new cleared sub-engine, which causes the URL escaping logic to be skipped during length calculation.

In the actual copy stage, the main engine is used to trigger the ngx_escape_uri function to escape characters such as + and &. The buffer is allocated according to the unescaped length but the expanded content is written, ultimately causing a controllable heap buffer overflow.

F5 has released NGINX version 1.31.0/1.30.1 to fix:

After receiving the vulnerability notification, F5 quickly confirmed the vulnerability. After F5 prepared the fix, the researchers publicly released the vulnerability. Therefore, users currently using NGINX and its derivatives need to upgrade to the latest version that is not affected. The open source version of NGINX needs to be upgraded to version 1.30.1 or 1.31.0. Other older versions, such as versions 0.6.27~1.30.0, are affected by the vulnerability.

For version information about other derivatives, please see the F5 Security Bulletin: https://my.f5.com/manage/s/article/K000160932