New Nginx Exploit

NGINX powers an estimated 30% of the global web‑traffic load, making any flaw in its core modules a high‑stakes issue for enterprises and cloud providers. Depthfirst’s AI‑driven scanner flagged CVE‑2026‑42945 after a single onboarding click, highlighting how automated code analysis can surface decades‑old bugs that traditional testing missed. The discovery underscores the growing reliance on machine‑learning tools to augment human security research, especially for widely deployed open‑source software that often lags behind in systematic auditing.

The exploit hinges on NGINX’s two‑pass rewrite engine. During the length‑calculation pass, the is_args flag is cleared, producing a raw buffer size. In the subsequent copy pass, the flag is set, triggering ngx_escape_uri to expand characters threefold, which overruns the undersized heap. Attackers can then manipulate adjacent pool structures via crafted POST bodies, redirecting a cleanup pointer to invoke system() on pool destruction. The vulnerability affects open‑source releases from 0.6.27 through 1.30.0 and NGINX Plus R32‑R36, with patches issued in the 1.30.1/1.31.0 series and corresponding Plus patches, prompting urgent updates across data‑center deployments.

For operators, the immediate response is to apply the official patches and verify version compliance across all edge and application servers. Organizations lacking rapid patch cycles should consider interim mitigations such as strict input validation, disabling unnecessary rewrite rules, and deploying web‑application firewalls that can detect anomalous URI patterns. The incident also serves as a cautionary tale: legacy code paths can harbor exploitable bugs long after their introduction, and continuous, automated security testing is becoming indispensable for maintaining the resilience of critical internet infrastructure.