## https://sploitus.com/exploit?id=D3DCF4B0-89DE-5EFB-B681-0725BD21449A
# nginx-rift-scanner
Scans your nginx installation for [CVE-2026-42945](https://nginx.org/en/security_advisories.html) โ a critical (CVSS 9.2) heap buffer overflow in `ngx_http_rewrite_module` present in nginx since 2008.
## What is CVE-2026-42945?
A heap buffer overflow triggered when nginx processes a request through a location block that combines two common directives:
1. A `rewrite` whose replacement contains `?` (sets an internal `is_args` flag)
2. A `set` that references a regex capture group (`$1`, `$2`, โฆ)
The bug lives in nginx's two-pass script engine. The length calculation pass uses a fresh sub-engine (zeroed, `is_args=0`) while the copy pass runs on the main engine (where `is_args=1` is still set). When the URI contains escapable characters like `+` or `&`, the copy phase expands each byte to three bytes โ writing far past the allocated buffer into the heap.
**Affected versions:** nginx 0.6.27 โ 1.30.0, nginx Plus R32 โ R36, and several F5/nginx products (see [full advisory](https://nginx.org/en/security_advisories.html))
**Fixed in:** nginx 1.30.1 / nginx Plus R37
### Example vulnerable config
```nginx
location ~ ^/api/(.*)$ {
rewrite ^/api/(.*)$ /internal?migrated=true;
set $original_endpoint $1; # **sudo is recommended** โ `nginx -T` (which reads the full expanded config including all includes) requires root on most systems.
Without sudo, the scanner falls back to reading config files directly from common paths. You can also pass a config path explicitly:
```bash
sudo python3 scanner.py /etc/nginx/nginx.conf
sudo python3 scanner.py /etc/nginx
```
## What it checks
| Check | How |
|---|---|
| nginx version | `nginx -v` โ flags anything in 0.6.27 โ 1.30.0 |
| Config pattern | `nginx -T` + brace-depth parser finds `rewrite`+`set` combinations |
| Include files | Fully resolved โ all `include` directives are followed |
## Output
**Vulnerable** (affected version + vulnerable config found):
```
[โ] nginx/1.27.5 AFFECTED (patched in 1.30.1)
[โ] 1 vulnerable block(s) found:
[1] /etc/nginx/conf.d/api.conf
Block : location ~ ^/api/(.*)$
L12 rewrite ^/api/(.*)$ /internal?migrated=true
L13 set $original_endpoint $1
VULNERABLE
Affected version + vulnerable config pattern detected.
Update to nginx 1.30.1 or nginx Plus R37 immediately.
```
**Not vulnerable** (patched version, no pattern):
```
[โ] nginx/1.30.1 not in affected range
[โ] No vulnerable rewrite+set pattern found
NOT VULNERABLE
Version is patched and no vulnerable config pattern detected.
```
Exit code is `1` if the host is determined to be vulnerable, `0` otherwise โ suitable for use in scripts and CI.
## Requirements
- Python 3.6+
- No third-party dependencies (stdlib only)
## Limitations
- Static analysis only โ patterns generated dynamically by Lua (`content_by_lua`), NJS, or templating systems are not detected
- `nginx -T` may require root; without it, the scanner reads config files directly but may miss some includes
- Only the open-source nginx binary version is checked; validate manually if using nginx Plus or a distro-patched build
## Fix
Update nginx:
```bash
# Debian / Ubuntu
apt-get update && apt-get install --only-upgrade nginx
# RHEL / CentOS / Amazon Linux
yum update nginx
# Alpine
apk upgrade nginx
```
Or, if you cannot update immediately, restructure the vulnerable location block to avoid the `rewrite`+`set`+`?` combination โ for example, move the `set` before the `rewrite`, or use `$request_uri` instead of a capture group in the `set` directive.
## References
- [nginx security advisory](https://nginx.org/en/security_advisories.html)
- [Nginx Rift technical writeup โ depthfirst.com](https://depthfirst.com/research/nginx-rift-achieving-nginx-rce-via-an-18-year-old-vulnerability)
- [DepthFirstDisclosures/Nginx-Rift PoC](https://github.com/DepthFirstDisclosures/Nginx-Rift)
## License
MIT