depthfirstdisclosures/nginx-rift — explained in plain English
Analysis updated 2026-05-18
Verify whether your own NGINX deployment is vulnerable to CVE-2026-42945 in an isolated test environment.
Study the memory corruption bug and exploitation technique for security research purposes.
Confirm a patch or upgrade fixes the vulnerability before deploying it to production.
| depthfirstdisclosures/nginx-rift | fluxions-ai/vui | facebookresearch/sapiens2 | |
|---|---|---|---|
| Stars | 662 | 659 | 675 |
| Language | Python | Python | Python |
| Setup difficulty | moderate | hard | moderate |
| Complexity | 4/5 | 4/5 | 4/5 |
| Audience | developer | developer | researcher |
Figures from each repo's GitHub metadata at analysis time.
Requires Docker to spin up a deliberately vulnerable NGINX test server before running the PoC script.
NGINX Rift is a proof of concept exploit for CVE-2026-42945, a critical security flaw in NGINX's rewrite module that had existed in the code since 2008. The bug allows an attacker to remotely execute code on a vulnerable server without needing to log in, as long as the server configuration uses the rewrite or set directives. It was found, along with three related memory corruption bugs, by an automated security analysis system from a company called depthfirst after it was pointed at the NGINX source code. The root cause is a mismatch inside NGINX's script engine, which calculates how much memory a buffer needs in one pass and then copies data into that buffer in a second pass. A flag called is_args controls whether special characters get expanded during copying, but that flag is set differently between the two passes, so the size calculated in the first pass ends up smaller than what actually gets written in the second pass. This creates a heap buffer overflow using attacker controlled data from the request URI. The proof of concept uses a technique that carefully arranges memory across several requests to corrupt a nearby memory structure, redirecting a cleanup pointer so that it runs a shell command when that structure is later destroyed. The README lists exactly which versions are affected and which versions contain the fix, covering both NGINX Open Source and NGINX Plus, and links to the official vendor advisory for full details. It also links to a longer technical write up describing the vulnerability in depth. To try the proof of concept, the README explains you first run a setup script to build a container, then start a deliberately vulnerable NGINX server with Docker Compose, and finally run a Python script with a shell flag to demonstrate code execution. It was tested on Ubuntu 24.04. The project is written in Python and does not state a license.
A proof of concept exploit for a critical NGINX vulnerability that lets an attacker run code on a vulnerable server remotely.
Mainly Python. The stack also includes Python, Docker, NGINX.
The README does not state a license, so usage terms are unclear.
Setup difficulty is rated moderate, with roughly 30min to a first successful run.
Mainly developer.
This repo across BitVibe Labs
Verify against the repo before relying on details.