whatisgithub

What is nginx-rift?

depthfirstdisclosures/nginx-rift — explained in plain English

Analysis updated 2026-05-18

662PythonAudience · developerComplexity · 4/5Setup · moderate

In one sentence

A proof of concept exploit for a critical NGINX vulnerability that lets an attacker run code on a vulnerable server remotely.

Mindmap

mindmap
  root((NGINX Rift))
    What it does
      Demonstrates CVE 2026-42945
      Heap buffer overflow PoC
      Remote code execution
    Tech stack
      Python
      Docker
      NGINX
    Use cases
      Verify server vulnerability
      Study exploit technique
      Security research
    Audience
      Security researchers
      Pentesters
      Ops teams patching NGINX

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Verify whether your own NGINX deployment is vulnerable to CVE-2026-42945 in an isolated test environment.

USE CASE 2

Study the memory corruption bug and exploitation technique for security research purposes.

USE CASE 3

Confirm a patch or upgrade fixes the vulnerability before deploying it to production.

What is it built with?

PythonDockerNGINX

How does it compare?

depthfirstdisclosures/nginx-riftfluxions-ai/vuifacebookresearch/sapiens2
Stars662659675
LanguagePythonPythonPython
Setup difficultymoderatehardmoderate
Complexity4/54/54/5
Audiencedeveloperdeveloperresearcher

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · moderate Time to first run · 30min

Requires Docker to spin up a deliberately vulnerable NGINX test server before running the PoC script.

The README does not state a license, so usage terms are unclear.

So what is it?

NGINX Rift is a proof of concept exploit for CVE-2026-42945, a critical security flaw in NGINX's rewrite module that had existed in the code since 2008. The bug allows an attacker to remotely execute code on a vulnerable server without needing to log in, as long as the server configuration uses the rewrite or set directives. It was found, along with three related memory corruption bugs, by an automated security analysis system from a company called depthfirst after it was pointed at the NGINX source code. The root cause is a mismatch inside NGINX's script engine, which calculates how much memory a buffer needs in one pass and then copies data into that buffer in a second pass. A flag called is_args controls whether special characters get expanded during copying, but that flag is set differently between the two passes, so the size calculated in the first pass ends up smaller than what actually gets written in the second pass. This creates a heap buffer overflow using attacker controlled data from the request URI. The proof of concept uses a technique that carefully arranges memory across several requests to corrupt a nearby memory structure, redirecting a cleanup pointer so that it runs a shell command when that structure is later destroyed. The README lists exactly which versions are affected and which versions contain the fix, covering both NGINX Open Source and NGINX Plus, and links to the official vendor advisory for full details. It also links to a longer technical write up describing the vulnerability in depth. To try the proof of concept, the README explains you first run a setup script to build a container, then start a deliberately vulnerable NGINX server with Docker Compose, and finally run a Python script with a shell flag to demonstrate code execution. It was tested on Ubuntu 24.04. The project is written in Python and does not state a license.

Copy-paste prompts

Prompt 1
Explain how the buffer size mismatch in NGINX's rewrite module leads to a heap overflow.
Prompt 2
Walk me through setting up the Docker test environment to run this proof of concept safely.
Prompt 3
Which NGINX versions are affected by CVE-2026-42945 and which versions fix it?
Prompt 4
Summarize the exploitation technique used to redirect the cleanup pointer in this PoC.

Frequently asked questions

What is nginx-rift?

A proof of concept exploit for a critical NGINX vulnerability that lets an attacker run code on a vulnerable server remotely.

What language is nginx-rift written in?

Mainly Python. The stack also includes Python, Docker, NGINX.

What license does nginx-rift use?

The README does not state a license, so usage terms are unclear.

How hard is nginx-rift to set up?

Setup difficulty is rated moderate, with roughly 30min to a first successful run.

Who is nginx-rift for?

Mainly developer.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.