Impact
NGINX Plus and NGINX Open Source contain a heap buffer overflow in the ngx_http_rewrite_module when a rewrite directive uses a regex pattern with overlapping captures and a replacement string that references multiple captures. An unauthenticated attacker can send crafted HTTP requests that trigger the overflow, causing the NGINX worker process to restart. If the system has Address Space Layout Randomization disabled or the attacker can bypass ASLR, the overflow can also be used to execute arbitrary code.
Affected Systems
The vulnerability affects NGINX Open Source and NGINX Plus as provided by F5. Specific version information from the supplied CPE strings indicates that NGINX Open Source 1.31.0 is affected. All other installations of these products remain potentially vulnerable unless newer releases contain a patch.
Risk and Exploitability
The CVSS score of 9.2 indicates high severity. While the EPSS score is 0.04 (4%), the vulnerability can be exploited remotely without authentication by manipulating HTTP requests, and the lack of a KEV listing does not diminish the risk. If ASLR is disabled or evaded, remote code execution is possible, making the risk very high in environments that do not enforce memory protection.
OpenCVE Enrichment
Debian DLA
Debian DSA
Ubuntu USN