Share
## https://sploitus.com/exploit?id=84F37866-4BB9-51F0-AFC8-B4F941E79576
# CVE-2026-42945 Safe Checker

This repository contains a defensive, static checker for CVE-2026-42945 in NGINX `ngx_http_rewrite_module` configuration.

It does not exploit the vulnerability, send crafted HTTP requests, or attempt to crash a target. It only scans local NGINX configuration for the risky directive pattern described in public advisories.

## Background

CVE-2026-42945 is a heap-based buffer overflow in NGINX Open Source and NGINX Plus `ngx_http_rewrite_module`. Public advisory text describes exposure when a `rewrite` directive is followed by `rewrite`, `if`, or `set`, with an unnamed PCRE capture reference such as `$1` or `$2`, and a rewrite replacement string containing `?`.

Patched NGINX Open Source versions are `1.30.1` and `1.31.0` or newer. For NGINX Plus, use the fixed releases from the vendor advisory.

Primary references:

- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42945
- F5 advisory: https://my.f5.com/manage/s/article/K000161019
- oss-security mirror: https://seclists.org/oss-sec/2026/q2/519

## Usage

Scan a rendered NGINX configuration:

```bash
nginx -T > nginx-rendered.conf
python3 cve_2026_42945_checker.py nginx-rendered.conf
```

Scan a config directory:

```bash
python3 cve_2026_42945_checker.py /etc/nginx
```

Emit JSON:

```bash
python3 cve_2026_42945_checker.py --json nginx-rendered.conf
```

Classify an explicit NGINX version, useful when scanning a config export that
does not include the `nginx -T` version banner:

```bash
python3 cve_2026_42945_checker.py --json --nginx-version 1.30.0 nginx-rendered.conf
```

Emit SARIF for GitHub code scanning or other security dashboards:

```bash
python3 cve_2026_42945_checker.py --sarif nginx-rendered.conf > cve-2026-42945.sarif
```

The process exits with:

- `0` when no risky pattern is found
- `1` when at least one risky pattern is found
- `2` on input or file errors

## Remediation

Upgrade NGINX to a fixed version first. Then review risky rewrite rules and prefer named captures over unnamed capture references where possible. For NGINX Plus, follow the fixed release guidance in the vendor advisory.

## Scope

Static configuration checks can miss dynamically generated configuration, included files outside the scan path, vendor patches, and runtime differences. Treat this as a triage aid, not a full vulnerability assessment.

## Development

Run tests locally with:

```bash
python -m pytest
```

The repository also includes a GitHub Actions workflow that runs the test suite
on pushes and pull requests.