Critical 18-Year-Old Flaw Discovered in NGINX Rewrite Module

Cybersecurity researchers disclosed multiple security vulnerabilities in NGINX Plus and NGINX Open, including a critical 18-year-old flaw in the ngx_http_rewrite_module (CVE-2026-42945, CVSS v4 score: 9.2). The vulnerability, identified by depthfirst, is a heap buffer overflow issue that could enable unauthenticated remote code execution (RCE) or cause denial-of-service conditions. The flaw remained undetected since the module's inception, affecting both commercial and open-source NGINX deployments. No specific exploitation instances or affected version ranges were detailed in the disclosure. The discovery highlights long-standing risks in widely used web server infrastructure.