Technical description
A critical heap buffer overflow vulnerability in NGINX's ngx_http_rewrite_module, introduced in 2008 and affecting versions 0.6.27 through 1.30.0 (NGINX Open Source) and R32 through R36 (NGINX Plus). The vulnerability occurs when the rewrite directive is followed by a rewrite, if, or set directive with an unnamed PCRE capture and a replacement string containing a question mark. An unauthenticated remote attacker can send crafted HTTP requests to trigger heap corruption, causing denial of service or potentially achieving remote code execution on systems with ASLR disabled.
Attack vector
Unauthenticated remote attacker sends specially crafted HTTP requests targeting vulnerable NGINX configurations using rewrite rules with question marks alongside set directives referencing captured values. The two-pass length calculation and copy process diverge when the question mark permanently sets the is_args flag, causing the copy pass to call ngx_escape_uri with NGX_ESCAPE_ARGS, expanding each escapable character and overflowing the allocated buffer.
Affected systems
NGINX Open Source 0.6.27-1.30.0, NGINX Plus R32-R36, NGINX Instance Manager 2.16.0-2.21.1, F5 WAF for NGINX 5.9.0-5.12.1, NGINX App Protect WAF, NGINX App Protect DoS, NGINX Gateway Fabric, NGINX Ingress Controller. Affects approximately one-third of all websites globally, per F5 advisory.
Mitigation
Upgrade to NGINX Open Source 1.31.0 or 1.30.1, or NGINX Plus R37 / R36 P4 / R32 P6. Temporary mitigation: review configurations using rewrite rules with question marks alongside set directives referencing captured values. F5 has published detailed advisory K000161019. Organizations should prioritize patching internet-facing NGINX deployments immediately given the 18-year vulnerability window and published proof-of-concept code.