A newly disclosed flaw in NGINX’s rewrite module lets attackers run arbitrary code on vulnerable servers without needing any credentials.
Tracked as CVE-2026-42945 and scored at 9.2 CVSS, the issue is a heap-based buffer overflow in the ngx_http_rewrite_module that can be triggered by a specially crafted URI when certain rewrite rules are present. Versions of NGINX Open Source from 0.6.27 up to 1.30.0 and related NGINX Plus releases are impacted, with patched versions 1.30.1+, 1.31.0+ and NGINX Plus R32 through R36 addressing the flaw.
Exploitation does not require authentication; an attacker sends a malicious request that exploits the memory corruption, which can crash the worker process (a denial of service) or, if address space layout randomisation is disabled, lead to remote code execution. The flaw was first posted in a public repository by depthfirstdisclosures.
Although no specific threat actor has been linked to the bug, security teams have seen attempts to probe for the vulnerable rewrite pattern in the wild shortly after the public disclosure, and F5 announced fixes covering this issue alongside other high-severity flaws in its BIG-IP and NGINX product lines.
Administrators should first confirm the exact NGINX version in use and apply the latest patch from the official repositories or from F5 for NGINX Plus instances. If immediate patching is not possible, temporarily disabling or restricting the use of rewrite rules that match the vulnerable pattern can reduce risk, and enabling address space layout randomisation where supported adds another layer of defence.
Deploying a web application firewall to inspect and drop requests containing suspicious characters or overly long rewrite parameters can help block exploitation attempts, and monitoring error logs for repeated worker restarts provides early warning of ongoing attacks.