NGINX Plus and NGINX Open Source contain a heap buffer overflow vulnerability in the ngx_http_rewrite_module module. The flaw is triggered when a rewrite directive is followed by a rewrite, if, or set directive combined with an unnamed PCRE capture group (e.g., $1, $2) and a replacement string containing a question mark (?). An unauthenticated remote attacker can exploit this condition by sending crafted HTTP requests, causing the NGINX worker process to crash; on systems with ASLR disabled, arbitrary code execution is possible.
Patched versions: NGINX Open Source 1.31.0 (or 1.30.1 on the 1.30.x branch); NGINX Plus R37, R36 P4, or R32 P6.
Why there are no Confirmed Findings: A reliable exploitability test for this vulnerability would crash the target’s NGINX worker process, which is disruptive to production traffic. For this reason IONIX does not actively probe for this issue and cannot surface Confirmed Findings.
Recommended action: NGINX servers do not always expose their version in HTTP response headers, so the absence of a version banner does not mean a host is safe. Customers should inventory every NGINX instance (internet-facing and internal), check the installed version directly on the host, and upgrade any version below the patched releases listed above. Configurations using rewrite directives with unnamed PCRE capture groups and ? in the replacement string should be treated as highest priority.