Share
## https://sploitus.com/exploit?id=B7AC5919-D76A-529B-8E1B-78178908C977
# NGINX Rift β CVE-2026-42945 Vulnerability Scanning and Verification Tool
NGINX Rift is an open-source scanning and verification tool targeting **CVE-2026-42945** (NGINX `ngx_http_rewrite_module` heap overflow vulnerability). It supports remote network fingerprint scanning and local deep configuration auditing, helping security teams quickly identify potential risks in NGINX environments.
## Vulnerability Overview
| Attribute | Details |
|-----------|----------|
| **CVE Number** | CVE-2026-42945 |
| **Vulnerability Type** | Heap Overflow |
| **Affected Component** | NGINX `ngx_http_rewrite_module` |
| **Affected Versions** | NGINX Open Source Edition 0.6.27 ~ 1.30.0 / NGINX Plus R32 ~ R36 |
| **Fixed Versions** | NGINX 1.30.1 (stable) / 1.31.0 (mainline) / NGINX Plus R32 P6+ |
| **Risk Level** | High β Can cause Denial-of-Service (DoS) and Remote Code Execution (RCE) |
**Trigger Conditions** (must all three conditions be met):
1. Presence of a `rewrite` directive in NGINX configuration.
2. Replacement of URLs that contain `?` (query string separator).
3. Use of unnamed capture groups (e.g., `$1`, `$2`) in URL replacements.
**Example of a vulnerable configuration:**
```nginx
rewrite ^/api/(.*)$ /internal?id=$1 last;
```
**Secure Configuration (using named capture groups):**
```nginx
rewrite ^/api/(?.*)$ /internal?id=$myid last;
```
## Features
- **Remote Scan Mode** β Identifies NGINX versions using HTTP response headers. Supports single and batch scans.
- **Local Verification Mode** β Three-step audit: binary version detection β configuration file semantics analysis β K8s Ingress resource probing.
- **OS Patch Retroversion Detection** β Works with `dpkg`/`rpm` package managers to check if the release has been patched via backports.
- **K8s Cloud-Native Support** β Automatically detects dangerous `rewrite-target` annotations in Kubernetes Ingress resources.
- **Zero-** β Implemented entirely with the Go standard library, compiled as a single file without third-party dependencies.
- **Cross-platform** β Supports Windows / Linux / macOS (amd64 + arm64).
## Installation
### Method 1: Download Precompiled Binary
Download the binary for your platform from the [Releases](../../releases) page.
### Method 2: Compile from Source Code
```bash
git clone https://github.com/nu0l/NGINX-Rift.git
cd NGINX-Rift
# Compile for a single platform
go build -o nginx_rift_scanner nginx_rift_scanner.go
# Cross-platform compilation
chmod +x build.sh &&./build.sh
```
## Usage
### View Help
```bash./nginx_rift_scanner -h
```
### Scan Mode β Remote Network Scan
```bash
# Scan a single target./nginx_rift_scanner scan -u http://example.com
# Batch scan (reads URL list from file)./nginx_rift_scanner scan -f url.txt
```
In `url.txt`, each line represents a URL, for example:
```
http://target1.com
https://target2.com
target3.com
```
### Verify Mode β Local Deep Audit
```bash
# Automatically find the default NGINX configuration path./nginx_rift_scanner verify
# Specify the configuration file path./nginx_rift_scanner verify -p /etc/nginx/nginx.conf
```
The Verify mode performs three-step audits:
1. **Binary Version Detection** β Runs `nginx -v` to get the version and checks OS package managerβs Backport patches.
2. **Configuration File Analysis** β Recursively parses NGINX configurations (including `include` directives), identifying dangerous rewrite rules.
3. **K8s Ingress Detection** β If `kubectl` is detected, automatically scans all Ingress resources in the cluster.
## Fix Suggestions
| Priority | Solution | Description |
|--------|----------|----------|
| P0 | Upgrade NGINX | Upgrade to 1.30.1+ / 1.31.0+ / NGINX Plus R32 P6+ |
| P0 | Update OS Package Manager | `apt-get upgrade nginx` or `yum update nginx` |
| P1 | Urgent Configuration Mitigation | Change `$1` in rewrite rules to a named capture group `$name`, without requiring downtime. |
| P2 | K8s Ingress Fixing | Upgrade the Ingress Controller and modify `rewrite-target` annotations. |
| P3 | Advanced Defense | Configure `server_tokens off;` to hide version fingerprints. |
## Project Structure
```
NGINX-Rift/
βββ nginx_rift_scanner.go # Main program source code
βββ build.sh # Cross-platform compilation script
βββ go.mod # Go module definition
βββ README.md
```
## Technical Implementation
- Uses the Go standard library `net/http` to send HTTP requests and parse `Server` response headers.
- Matches and extracts version numbers for Open Source Edition (`nginx/X.Y.Z`) and Commercial Edition (`NGINX Plus RXX`).
- Recursively parses NGINX configuration files, tracks `include` directives, and uses a `visited` map to prevent circular references.
- Dynamically retrieves K8s Ingress configurations using `kubectl get ingress --all-namespaces -o yaml`.
- Checks OS-level Backports by calling `dpkg-query`/`rpm --changelog`.
- Compiles statically (`CGO_ENABLED=0`) to generate a standalone binary without C dependencies.
## License
MIT License
## Acknowledgments
Contributed by the security community.