NGINX Plus and NGINX Open Source Heap Buffer Overflow Vulnerability via Regex Map Directive

Vulnerability

A vulnerability allowing for a heap buffer overflow has been identified in NGINX Plus (versions 37.0.0.1 to 37.0.2.1) and NGINX Open Source (versions 1.31.2, 1.30.0 to 1.30.3) when the map directive employs regex matching. The issue arises if a string expression references the map's regex capture variables before the map output variable, or by using a non-cacheable variable in a string expression under certain conditions. This vulnerability can be exploited by an unauthenticated attacker, under conditions beyond their control, by sending crafted HTTP requests. The buffer overflow occurs in the NGINX worker process, potentially leading to a restart. Furthermore, on systems with Address Space Layout Randomization (ASLR) disabled or where ASLR can be bypassed, this vulnerability may allow for code execution.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition on the NGINX system, leading to a restart of the NGINX worker process. Additionally, it may allow for remote code execution on systems where ASLR is disabled or can be bypassed.

Remediation

To mitigate this vulnerability, avoid using unnamed captures in regex map directives. Instead, use named captures and reference them within the same block as the regex match. Users can upgrade to NGINX Plus version 37.0.3.1 or NGINX Open Source versions 1.31.3 or 1.30.4, depending on their current version.

Added: Jul 15, 2026, 3:46 PM
Updated: Jul 15, 2026, 3:46 PM

Vulnerability Rating

Custom Algorithm
spread
9.4
impact
7.5
exploitability
6.6
remediation
7.9
relevance
9.7
threat
0.0
urgency
2.9
incentive
4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.