Cybersecurity researchers have disclosed multiple security vulnerabilities affecting NGINX Plus and NGINX Open Source, including a critical flaw in the rewrite module that remained undetected for 18 years. The discovery, made by security researcher depthfirst, involves a heap buffer overflow issue within the ngx_http_rewrite_module, tracked as CVE-2026-42945. This vulnerability carries a CVSS v4 score of 9.2 and could allow an unauthenticated attacker to achieve Remote code Execution.
The vulnerability was found to reside in the way the rewrite module handles certain input. A heap buffer overflow occurs when a program writes more data to a buffer in the heap memory than it is allocated to hold, potentially corrupting adjacent data and enabling code execution. In this case, an attacker could exploit the flaw remotely without needing prior authentication, making it a significant threat to systems running affected versions.
Scope of the Vulnerabilities
The research team identified a total of three vulnerabilities. Beyond the critical rewrite module flaw, the disclosures include a moderate severity issue in the QUIC protocol implementation and a low severity problem involving DNS resolution within NGINX.
The flaw in the QUIC protocol, CVE-2025-23019, can lead to a denial of service condition. When processing specially crafted QUIC packets, the server may crash, disrupting services for legitimate users. The third vulnerability, CVE-2025-23020, concerns DNS resolution where a malformed response could cause an incorrect cache entry, though its practical exploitability is considered low.
Impact and Affected Versions
NGINX officials have confirmed that the critical rewrite module vulnerability exists in all versions of NGINX Open Source and NGINX Plus released since the module was introduced. This means the flaw has been present for approximately 18 years, spanning numerous major and minor releases.
Systems running NGINX Open Source from version 0.5.6 through 1.27.3 are affected. For NGINX Plus, versions from R1 through R33 are vulnerable. Users of these products are strongly advised to update to patched versions which have been released concurrently with the disclosure.
Patches and Mitigations
F5 Networks, which maintains the NGINX project, has released patches for both NGINX Open Source and NGINX Plus. The patches address all three disclosed vulnerabilities. Users are urged to upgrade to NGINX Open Source version 1.27.4 or later and NGINX Plus version R34 or later.
For those unable to immediately patch, a workaround is available. Administrators can disable the rewrite module if they do not use its features. However, this is a configuration change and may disrupt services that rely on URL rewriting or redirect logic. F5 recommends patching as the primary and most secure course of action.
Background on NGINX and the Rewrite Module
NGINX is a widely used web server, reverse proxy, and load balancer, powering a significant percentage of the world’s busiest websites. The ngx_http_rewrite_module is a standard module that performs URL rewriting and redirects, allowing server administrators to change request URIs using regular expressions.
The module processes directives like `rewrite` and `return` in NGINX configuration files. While it is a core component of NGINX functionality, not every deployment uses it extensively. Attackers targeting this flaw would need to first find a way to trigger a specific processing path within the module that leads to the buffer overflow.
Broader Industry Context
The disclosure highlights the persistent challenges of long-latent vulnerabilities in widely deployed infrastructure software. These vulnerabilities can remain hidden for years, often because the specific code paths required for exploitation are not routinely tested in security audits. The 18-year timespan of the NGINX rewrite module flaw underscores the difficulty of securing foundational network components.
Cybersecurity firm Wiz, which coordinated the disclosure process, noted that similar flaws in proxy servers and load balancers have been discovered in recent years. Such vulnerabilities pose a risk because they sit at the network edge, often directly exposed to the internet.
Public and private sector organizations using NGINX should immediately audit their systems to determine if they are running patched versions. Web application firewalls and intrusion detection systems may provide additional layers of defense, but patching remains the most effective mitigation.
The development and release of these patches followed standard responsible disclosure practices, with researchers giving NGINX time to develop fixes before making the vulnerability details public. F5 Networks has stated that there is no current evidence of active exploitation in the wild, but that could change as technical details become more widely circulated.
Source: F5 Networks
