18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE
(thehackernews.com)
from eager_eagle@lemmy.world to selfhosted@lemmy.world on 14 May 06:41
https://lemmy.world/post/46851451
from eager_eagle@lemmy.world to selfhosted@lemmy.world on 14 May 06:41
https://lemmy.world/post/46851451
Update your nginx instances
cross-posted from: lemmy.world/post/46851448
- Affected an non-affected versions nginx.org/en/security_advisories.html
- CVE record www.cve.org/CVERecord?id=CVE-2026-42945
- CVE details nvd.nist.gov/vuln/detail/CVE-2026-42945
- PoC github.com/DepthFirstDisclosures/Nginx-Rift
CVE - Common Vulnerabilities and Exposures system
RCE - Remote Code Execution
PoC - Proof of Concept
threaded - newest
For anyone else using SWAG, it looks like a fix is on its way but not available yet. This SWAG issue points to an upstream Alpine package dependency that needs to be updated first. Looking at the source, they just recently committed backported patches, so presumably a new version will be released soon; then the SWAG image can be updated.
Seems to be specific to rewrites using an un-named capture.
grep -rnE “\$[0-9.*].*\?” /etc/ngnixshould show if you have any potentially vulnerable directives in your config.
I have an old Debian 11 “bullseye” installation running on one of my servers. It’s stuck at nginx 1.18.0, but it should theoretically still be covered by Debian 11 LTS security updates, right? wiki.debian.org/LTS/Using
nginx/oldoldstable-security,now 1.18.0-6.1+deb11u5Probably yeah security-tracker.debian.org/…/CVE-2026-42945
It’s days like this where I’m happy I’m unemployed. I have a group chat with a few friends and they’re pushing out patches and it’s a bit of a rush.
All my publicly accessible servers update every 6 hours and reboot after whenever they need to. It’s rare I need to step in and fix something. I checked a few hours ago and I’m not at risk.
not the flex you think it is.
didn’t npm have a worm problem a few days ago?
Yep. I wasn’t affected thankfully. Didn’t realise I was flexing, sorry. Just happy most of my stack is automated and it’s quite low maintenance at this point.
Where do I draw the line then? Serious question. If updating every couple hours is bad, then what’s safe?
for corporate services we do every 30 days. which is standard. emergency patches get direct support and resolved quickly.
idk, also it is not about the frequency you update, it is usually about how long has it been since package is published to the internet
see concept of min release age pnpm.io/blog/releases/10.16
i wonder if other package manager have similar thing or not
You can use pnpm instead of npm. pnpm has a “Delay dependency updates” feature where you can install package versions that are x old only. See https://pnpm.io/supply-chain-security#delay-dependency-updates
Edit: I just found out, that this can also be specified in npm and yarn: https://gist.github.com/mcollina/b294a6c39ee700d24073c0e5a4e93104
Your friends should do a PoC before they rush to fix random bugs that ostensibly have a high severity.
You should tell that on your group chat. Motruck says you need to slow down and stop jumping at high severity but low exploitabile trash.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
2 acronyms in this thread; the most compressed thread commented on today has 8 acronyms.
[Thread #290 for this comm, first seen 15th May 2026, 02:30] [FAQ] [Full list] [Contact] [Source code]
Apparently not a massive deal? (I don’t know, just linking someone who seems to have a clue)
cyberplace.social/…/116578019563133410
good to know!