## https://sploitus.com/exploit?id=84F37866-4BB9-51F0-AFC8-B4F941E79576
# CVE-2026-42945 Safe Checker
This repository contains a defensive, static checker for CVE-2026-42945 in NGINX `ngx_http_rewrite_module` configuration.
It does not exploit the vulnerability, send crafted HTTP requests, or attempt to crash a target. It only scans local NGINX configuration for the risky directive pattern described in public advisories.
## Background
CVE-2026-42945 is a heap-based buffer overflow in NGINX Open Source and NGINX Plus `ngx_http_rewrite_module`. Public advisory text describes exposure when a `rewrite` directive is followed by `rewrite`, `if`, or `set`, with an unnamed PCRE capture reference such as `$1` or `$2`, and a rewrite replacement string containing `?`.
Patched NGINX Open Source versions are `1.30.1` and `1.31.0` or newer. For NGINX Plus, use the fixed releases from the vendor advisory.
Primary references:
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-42945
- F5 advisory: https://my.f5.com/manage/s/article/K000161019
- oss-security mirror: https://seclists.org/oss-sec/2026/q2/519
## Usage
Scan a rendered NGINX configuration:
```bash
nginx -T > nginx-rendered.conf
python3 cve_2026_42945_checker.py nginx-rendered.conf
```
Scan a config directory:
```bash
python3 cve_2026_42945_checker.py /etc/nginx
```
Emit JSON:
```bash
python3 cve_2026_42945_checker.py --json nginx-rendered.conf
```
Classify an explicit NGINX version, useful when scanning a config export that
does not include the `nginx -T` version banner:
```bash
python3 cve_2026_42945_checker.py --json --nginx-version 1.30.0 nginx-rendered.conf
```
Emit SARIF for GitHub code scanning or other security dashboards:
```bash
python3 cve_2026_42945_checker.py --sarif nginx-rendered.conf > cve-2026-42945.sarif
```
The process exits with:
- `0` when no risky pattern is found
- `1` when at least one risky pattern is found
- `2` on input or file errors
## Remediation
Upgrade NGINX to a fixed version first. Then review risky rewrite rules and prefer named captures over unnamed capture references where possible. For NGINX Plus, follow the fixed release guidance in the vendor advisory.
## Scope
Static configuration checks can miss dynamically generated configuration, included files outside the scan path, vendor patches, and runtime differences. Treat this as a triage aid, not a full vulnerability assessment.
## Development
Run tests locally with:
```bash
python -m pytest
```
The repository also includes a GitHub Actions workflow that runs the test suite
on pushes and pull requests.