Web server vulnerabilities that enable unauthenticated remote code execution represent some of the most severe threats in infrastructure security. When such flaws exist in widely-deployed software like NGINX, which powers a significant portion of the internet's traffic, the potential impact multiplies. The discovery of vulnerabilities that have persisted for years—especially those residing in fundamental components like the HTTP rewrite module—exposes just how challenging it is to audit complex, performance-critical codebases.

Enter Nginx-Rift, a proof-of-concept exploit targeting CVE-2026-42945, an eighteen-year-old heap buffer overflow in NGINX's ngx_http_rewrite_module. With over 697 GitHub stars, this project demonstrates how an architectural quirk in NGINX's script engine—a two-pass process for computing buffer size and copying data—creates a critical condition. The is_args flag inconsistency between passes means length calculations underestimate required space, while the copy operation applies URI escaping that expands data by up to threefold, overflowing allocated heap memory.

The interesting bits lie in both the vulnerability's longevity and the exploitation approach. The bug has existed since 2008, introduced in version 0.6.27 and only patched in early 2025 releases. This speaks to the difficulty of detecting memory safety issues in mature C codebases through traditional testing. The exploitation technique employs cross-request heap feng shui—carefully manipulating memory allocation across multiple requests to position target structures predictably. Rather than relying on conventional payload delivery, attackers abuse POST body spraying to create conditions where null-byte-free URI data can corrupt adjacent pool structures.

Three other related vulnerabilities (CVE-2026-42946, CVE-2026-40701, CVE-2026-42934) were discovered alongside this one by an autonomous security analysis system from DepthFirst. The fact that automated tooling found issues spanning nearly two decades suggests that current manual auditing approaches miss subtle state inconsistencies that only emerge under specific runtime conditions.

The project includes a straightforward testing setup using Docker containers, targeting Ubuntu 24.04.3 LTS. A shell script builds the environment, docker-compose starts the vulnerable NGINX instance, and the Python PoC delivers either a shell or demonstrates the vulnerability mechanics. The containerized approach prevents accidental execution against production systems while providing a safe reproduction environment.

Caveats are significant here. This is purely a security research tool, not a defensive measure. The README explicitly states affected versions range from NGINX Open Source 0.6.27 through 1.30.0, with fixes available in 1.30.1 and 1.31.0. NGINX Plus versions R32 through R36 require vendor patches. More broadly, the project highlights how legacy architectural decisions in foundational internet infrastructure can persist as exploitable conditions for nearly two decades.

If you want to run it, the README provides simple prerequisites: Docker, docker-compose, and a Linux environment (tested on Ubuntu). The setup involves cloning the repository, running a build script, and launching the containerized vulnerable server before executing the Python exploit. Check the repository's usage section for complete commands.

While Nginx-Rift serves an important role in vulnerability disclosure and awareness, it also underscores ongoing challenges in securing critical infrastructure. Projects like this remind us that the most mature software isn't necessarily the most secure, and that automated analysis tools may be essential for finding deep-seated architectural flaws. The source is on GitHub.