NGINX Plus and NGINX Open Source ngx_http_rewrite_module Heap Buffer Overflow Vulnerability

A heap buffer overflow vulnerability has been identified in the ngx_http_rewrite_module of NGINX Plus and NGINX Open Source. This issue arises when the rewrite directive is used with unnamed Perl-Compatible Regular Expression (PCRE) captures in a way that includes a question mark in the replacement string. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests, potentially leading to a denial-of-service condition by causing the NGINX worker process to crash and restart. Furthermore, on systems with Address Space Layout Randomization (ASLR) disabled, this vulnerability could be exploited for arbitrary code execution.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition by crashing the NGINX worker process, which then restarts. Additionally, on systems with ASLR disabled, the vulnerability could be exploited to execute arbitrary code.

Remediation

To address this vulnerability, users are advised to upgrade to NGINX Plus version 37.0.0 or NGINX Open Source versions 1.31.0 or 1.30.1. For NGINX Instance Manager, version 2.21.1 or later should be used. If using NGINX App Protect WAF, upgrade to version 5.9.0 or later. For NGINX Gateway Fabric, version 2.5.1 or later is recommended. To mitigate the vulnerability without upgrading, use named captures instead of unnamed captures in rewrite directives.