## https://sploitus.com/exploit?id=85F2445E-7854-51E3-BE0F-509BF472696E
# NGINX CVE-2026-42945 Local Checker
This repository provides two standalone check scripts for locally identifying whether Nginx, OpenResty, and Tengine on Linux/Windows servers contain vulnerabilities related to CVE-2026-42945. The scripts only perform read-only collection and local analysis; they do not execute vulnerability exploits, send attack requests, modify configurations, restart services, or upgrade software.
## Files
| File | Description |
|---|---|
| `check_nginx_linux.sh` | Linux-based check script |
| `check_nginx_windows.ps1` | Windows-based check script |
| `README.md` | Execution instructions and rules |
## Scope
**Initial version capabilities:**
- Checks the native installed Nginx/OpenResty/Tengine on the local machine.
- Collects information about the host, processes, services, version details, compilation parameters, and effective configuration settings.
- Supports checking multiple Nginx/OpenResty/Tengine instances on the same server one by one.
- Identifies `rewrite` configurations related to CVE-2026-42945.
- Generates results in Chinese console output, along with `summary.txt`, `summary.json`, and a directory containing raw data.
**Not included in the initial version:**
- Docker/Kubernetes checks.
- Remote SSH/WinRM scans.
- Automatic repairs, upgrades, or configuration modifications.
- Vulnerability exploits or attack requests.
## Requirements
It is recommended to run the scripts with administrative privileges:
- **Linux:** Use a `root` account or an account with `sudo` permissions.
- **Windows:** Use PowerShell with “Run as Administrator” option.
If the script cannot be executed with administrative privileges, it can still be run manually, but if the complete `nginx -T` effective configuration cannot be exported, the result will be marked as “needs manual review”.
## Linux Usage
Upload `check_nginx_linux.sh` to the server and run it:
```bash
chmod +x check_nginx_linux.sh
sudo ./check_nginx_linux.sh
```
If `sudo` is not available, you can also run it directly:
```bash
./check_nginx_linux.sh
```
## Windows Usage
Upload `check_nginx_windows.ps1` to the server and run it using PowerShell with “Run as Administrator” option:
```powershell
powershell -ExecutionPolicy Bypass -File .\check_nginx_windows.ps1
```
## Output
The script will generate results in a directory named after itself. The directory names include the host name, time, and script process ID to prevent duplicate data.
```
nginx_check___/
summary.txt
summary.json
raw/
host_info.txt
process_info.txt
service_info.txt
package_info.txt
nginx_paths.txt
instances/
instance_01/
nginx_invocation.txt
nginx_version.txt
nginx_build.txt
nginx_config_dump.txt
risky_config_matches.txt
instance_02/
...
```
**Output description:**
| File or Directory | Description |
|---|---|
| `summary.txt` | Chinese summary, suitable for manual review and submission |
| `summary.json` | Structured results, convenient for batch summarization later |
| `raw/` | Original command output and evidence files |
| `raw/instances/instance_XX/` | Separate versions, configurations, and risk evidence for each instance |
The summary will include:
| Field | Description |
|---|---|
| Number of instances | Number of Nginx / OpenResty / Tengine candidate instances discovered and checked individually |
| Configuration size | Size of the original configuration file exported by `nginx -T` |
| Number of scanned lines | Number of configuration output lines actually scanned by the script |
| Number of dangerous configuration matches | Number of dangerous `rewrite` rules detected |
| Evidence summary | Preview of evidence for the most risky instances; full evidence available in the corresponding instance directory |
If the Nginx configuration is extensive, the script will not print the complete configuration in the console; the complete effective configuration is stored in the `nginx_config_dump.txt` file in the corresponding instance directory. When the configuration export file exceeds 10 MB, the script will continue to scan automatically and suggest manual verification based on the `raw/` results. ## Multi-Instance Behavior
If multiple `nginx`, `openresty`, or `tengine` candidate executable files are found on the server, the script will check each one and generate detailed instance reports. The conclusion in the overall summary is based on the most risky instance. The overall priority is conservative:
1. `Affected with risky configurations`
2. `Requires manual review`
3. `Affected without risky configurations`
4. `Not affected`
5. `Nginx not installed`
Here, “Requires manual review” has a higher priority than “Affected without risky configurations,” indicating that unverified instances require further verification. This does not mean that dangerous configurations have been confirmed. ## Risk Conclusions
| Conclusion | Meaning |
|---|---|
| Nginx not installed | No Nginx / OpenResty / Tengine commands, processes, or services found |
| Not affected | Clearly a fixed version, and no dangerous configurations found |
| Affected without risky configurations | The version is suspected to be affected, but no dangerous `rewrite` configurations found |
| Affected with risky configurations | The version is suspected to be affected or its derivatives require review, and dangerous `rewrite` configurations found |
| Requires manual review | Version unknown, derivative versions, configuration collection failed, insufficient permissions, or insufficient evidence |
## Risky Rewrite Detection
The script focuses on checking the following combinations:
- `$1`, `$2`, etc. are used as unnamed capture variables in `rewrite` string replacements.
- `?` (a literal question mark) is included in `rewrite` string replacements, but it is not considered a risk condition.
- There are subsequent `rewrite`, `if`, or `set` instructions within the same scope. After a match is found, the configuration file path, line number, and reason for the match are recorded in the `raw/instances/instance_XX/risky_config_matches.txt` file in the corresponding instance directory. Each matched line corresponds to a dangerous `rewrite` instruction; if multiple `rewrite`, `if`, or `set` instructions are found later, only the first trigger item is displayed to avoid excessive expansion of evidence files. ## Version Rules
| Product | Version judgment |
|---|---|
| NGINX `1.31.0+` | Fixed; the script indicates “Fixed (mainline)” |
| NGINX `1.30.1+` | Fixed; the script indicates “Fixed (stable)” |
| NGINX `0.6.27-1.30.0` | Suspected to be affected |
| OpenResty / Tengine | Versions and configurations can be collected, but the impact of versions requires manual review by default |
There may be cases where the version number is older but patches have been applied. If a vendor patch can be provided, manual confirmation can be done in conjunction with `summary.txt` and package version information.