A vulnerability that has quietly existed inside NGINX — one of the most popular web servers on the planet — for 18 years is now being actively exploited by attackers. Tracked as CVE-2026-42945 and nicknamed NGINX Rift, the flaw is a heap buffer overflow in NGINX’s URL-rewriting module. Attackers can trigger it by sending a specially crafted web request, which immediately crashes the NGINX worker process. When conditions are just right, the same technique may allow full remote code execution.
If your website or web application runs on NGINX — and hundreds of millions of sites do — your server could be force-restarted repeatedly by anyone who knows the affected URL pattern. The bug exists in every NGINX release from version 0.6.27 all the way through 1.30.0. NGINX has issued a fix, and it should be treated as urgent given confirmed in-the-wild exploitation. If patching immediately is not possible, renaming unnamed regex captures to named ones in your rewrite directives eliminates the vulnerable code path as a temporary measure.
How to check if you’re affected
Affected versions include NGINX 0.6.27 through 1.30.0 with rewrite directives that use unnamed PCRE captures (e.g., $1, $2).
- Check your NGINX version: Run
nginx -vin a terminal. Any version from 0.6.27 through 1.30.0 is vulnerable. - Check your config: Search your NGINX configuration files for
rewriterules that include$1,$2, or similar unnamed captures followed by a?in the replacement string. - Apply the patch: Update NGINX to the latest stable release (1.30.1 or newer) using your package manager (
apt,yum,brew, etc.).