## https://sploitus.com/exploit?id=204AAC54-CABD-571F-9D3B-BE59F333764B
# NGINX Rift Configuration Scanner
Language: Chinese | [English](README.en.md)
This is a lightweight script designed to check whether there are risk levels related to CVE-2026-42945 (NGINX Rift) in NGINX configurations. This vulnerability was disclosed by depthfirst in the article ["NGINX Rift: Achieving NGINX RCE via an 18-Year-Old Vulnerability"](https://depthfirst.com/research/nginx-rift-achieving-nginx-rce-via-an-18-year-old-vulnerability). According to the article and F5/NVD descriptions, the risk is associated with specific configuration combinations of the `ngx_http_rewrite_module`: within the same configuration context, the replacement string of `rewrite` contains `?`, and subsequent `rewrite`, `if`, or `set` statements refer to unnamed PCRE capture variables, such as `$1`, `$2`.
## Target Check
This tool primarily checks whether the following high-risk sequence exists in the NGINX configuration file:
```nginx
location ~ ^/api/(.*)$ {
rewrite ^/api/(.*)$ /internal?migrated=true;
set $original_endpoint $1;
}
```
The risk lies not in the individual `rewrite` or `set` commands, but in their execution order within the same context:
1. The `rewrite` command uses regular expressions for capturing, and its replacement string contains `?`.
2. Subsequent `rewrite`, `if`, or `set` commands use unnamed capture variables like `$1`, `$2`.
This combination may trigger inconsistencies in the NGINX script engine’s length calculation and actual copying phase, leading to a stack buffer overflow.
## Impact Scope
The affected versions listed in depthfirst include:
- NGINX Open Source 0.6.27 to 1.30.0
- NGINX Plus R32 to R36
- Some F5/NGINX products based on NGINX
For actual fixed versions and product matrices, please refer to the F5 official announcements or release notes. Even if a version is within the affected range, it usually requires a specific `rewrite` configuration sequence to trigger the vulnerability. The script will also output the current NGINX version and the configuration scan results:
- Versions between `0.6.27 - 1.30.0` with matching configuration: NGINX must be upgraded or the configuration adjusted.
- Versions between `0.6.27 - 1.30.0` without matching configuration: An upgrade is recommended, but no configuration triggering conditions were found by this tool.
- Configurations that match the risk level but are not within the affected range: It is recommended to review the configuration and maintain the fixed version.
## Usage
To scan the entire NGINX configuration on the current machine, use the following command:
```bash
python3 scan_rift.py
```
The script will execute:
```bash
nginx -T
```
If the current user does not have permission to read the full configuration, use `sudo`:
```bash
sudo python3 scan_rift.py
```
You can also scan a previously exported configuration file:
```bash
python3 scan_rift.py /path/to/nginx-full.conf
```
For example, export the configuration before scanning:
```bash
sudo nginx -T > nginx-full.conf
python3 scan_rift.py nginx-full.conf
```
## Description of Actions
When no risky sequences are found:
```text
--- NGINX Rift Config Scanner (CVE-2026-42945) ---
Current NGINX Version: nginx version: nginx/1.23.3
Version Status: The current version of NGINX Open Source is within the affected range (0.6.27 – 1.30.0).
[+] No vulnerable CVE-2026-42945 sequences were detected. [Recommendation]: The current NGINX version is within the affected range, but no vulnerable configuration sequences were found. An upgrade is recommended, but no configuration risks were identified by this scanner.
```
When suspicious sequences are found:
```text
--- NGINX Rift Config Scanner (CVE-2026-42945) ---
Current NGINX Version: nginx version: nginx/1.23.3
Version Status: The current version of NGINX Open Source is within the affected range (0.6.27 – 1.30.0).
[!] VULNERABLE SEQUENCE FOUND:
Context: location ~ ^/api/(.*)$ {
[1. Rewrite With ?] rewrite ^/api/(.*)$ /internal?migrated=true;
[2. Follow-up $N] set $original_endpoint $1;
[Action Required]: The current NGINX version is vulnerable, and a vulnerable configuration was detected. Upgrade NGINX or adjust the reported rewrite/if/set sequences.
---
It is necessary to manually verify whether the configured context can be accessed by external requests and promptly upgrade NGINX or adjust the configuration.
## Action Recommendations
- Upgrade to the fixed version released by the vendor.
- Check all `rewrite`, `set`, and other combinations in contexts such as `location`, `server`, and `if`.
- Avoid using unnamed capture variables like `$1` and `$2` after `rewrite` with the `?` symbol.
- Consider using named captures, pre-stored variables, split processing logic, or removing unnecessary `query string` rewrites.
- Prioritize making NGINX services and reverse proxy entries accessible to the public network before fixing the issue.
- Do not rely solely on version checks; whether the configuration contains triggering sequences is equally important.
## Limitations
This script is a static configuration scanning tool designed to quickly identify high-risk patterns. It does not equivalent to vulnerability exploitation verification.
- False positives may occur, requiring manual review in conjunction with actual NGINX contexts.
- Complex multi-line instructions, abnormal `include` expansions, or dynamically generated configurations may affect scanning results.
- Not finding risks does not mean absolute safety. It is still necessary to upgrade to the official fixed version.
## References
- depthfirst:
- NVD CVE-2026-42945:
- F5 Advisory K000161019: