The Vulnerability and Its Mechanism
A high severity vulnerability has been discovered in NGINX, one of the most widely used web servers for hosting websites, reverse proxies, and API gateways. The flaw, nicknamed nginx-poolslip, affects both the open source and commercial Plus editions. It can be triggered remotely by an unauthenticated attacker sending crafted HTTP requests.
The issue resides in the ngx_http_rewrite_module, specifically when a rewrite directive uses specific regex patterns with overlapping PCRE capture groups. This can cause a heap buffer overflow (CWE-122) in the NGINX worker process. The exploitation corrupts the memory pool used for request handling, potentially allowing an attacker to hijack control flow when the pool is destroyed.
Impact and Scope
At a minimum, successful exploitation crashes the worker process and restarts it, leading to a denial of service condition. In environments where Address Space Layout Randomization (ASLR) is disabled or can be bypassed, remote code execution becomes possible. The severity rating is 8.1 on the CVSS v3.1 scale and 9.2 under CVSS v4.0.
Given NGINX’s widespread deployment in critical infrastructure, container orchestration systems like Kubernetes, and content delivery networks, the attack surface is massive. Users of NGINX Open Source versions 0.1.17 through 1.30.1 and 1.31.0 should upgrade to 1.30.2 or 1.31.1. NGINX Plus users on R32 through R36 should move to R36 P5 or R32 P7, and those on 37.x should upgrade to R37.0.1.1.
Source: Cyber Security News
