Overview
- VulnCheck said exploitation began soon after public disclosure, and it observed a cluster of activity tied to a single Chinese IP using a Vulnhuntr-based scanner.
- The flaw is a heap buffer overflow in NGINX’s rewrite module that miscalculates a buffer when an unnamed regex capture meets a replacement string with a question mark and a following rewrite, if, or set rule.
- A single crafted HTTP request can reliably crash NGINX worker processes on default setups, while remote code execution needs that exact rewrite pattern and disabled ASLR.
- F5 released patches for NGINX Open Source 1.31.0 and 1.30.1 and NGINX Plus R36 P4 and R32 P6, and it recommends switching to named regex captures if upgrades cannot happen at once.
- VulnCheck’s Censys query found roughly 5.7 million internet‑exposed servers running vulnerable versions, though only a smaller subset is likely configured in a way that is exploitable.