NGINX Plus and NGINX Open Source ngx_http_rewrite_module Heap Buffer Overflow Vulnerability

A heap buffer overflow vulnerability has been identified in the ngx_http_rewrite_module of NGINX Plus and NGINX Open Source. This issue arises when a rewrite directive employs a regex pattern with distinct, overlapping Perl-Compatible Regular Expression (PCRE) captures, and a replacement string that references multiple such captures in a redirect or arguments context. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests, which may lead to a denial-of-service condition by causing the NGINX worker process to crash and restart. Furthermore, on systems with Address Space Layout Randomization (ASLR) disabled or where ASLR can be bypassed, this vulnerability could be exploited to execute arbitrary code.

Impact

Exploitation of this vulnerability causes a heap buffer overflow in the NGINX worker process, leading to a crash and restart. However, on systems with ASLR disabled or where ASLR can be bypassed, this vulnerability could allow for arbitrary code execution.

Remediation

To address this vulnerability, users should upgrade to NGINX versions 1.31.1 or 1.30.2 for NGINX Open Source, and version 37.0.1.1 for NGINX Plus. For NGINX Ingress Controller, versions 5.4.2 and 4.0.1 are recommended. Users can also mitigate this vulnerability by using named captures instead of unnamed captures in rewrite directives.