Analysis updated 2026-05-18
Study how a URL rewrite heap overflow bug in NGINX works
See a documented ASLR bypass built on a secondary PHP file read bug
Review the lab conditions required to reproduce the exploit safely
| hamid-k/nginx-rift-private-lab | nvlabs/spatialclaw | shootthesound/comfyui-mesh | |
|---|---|---|---|
| Stars | 67 | 67 | 67 |
| Language | Python | Python | Python |
| Setup difficulty | hard | hard | hard |
| Complexity | 5/5 | 5/5 | 4/5 |
| Audience | researcher | researcher | developer |
Figures from each repo's GitHub metadata at analysis time.
Requires a controlled lab matching specific conditions like PHP file read access and HTTP/2 enabled.
This repository is a private security research lab built around CVE-2026-42945, a critical vulnerability in the NGINX web server that was present in the codebase since 2008. The bug is a heap buffer overflow in the module that handles URL rewriting. An attacker can send a specially crafted HTTP request to a vulnerable server and, under the right conditions, execute arbitrary commands on that server without needing to log in. The technical cause is a mismatch between two passes in NGINX's script engine. The first pass calculates how much memory to allocate for a rewritten URL, and the second pass copies the data into that allocation. Because of a flag that only gets set during the copy pass, the copy writes more bytes than the allocation reserved, overflowing the heap buffer with content the attacker controls. The core proof-of-concept code came from the original CVE disclosure, produced by a security analysis tool called depthfirst. This fork extends that work with a more realistic attack chain that functions against servers where address space layout randomization is enabled. ASLR is a standard Linux security feature that randomizes memory locations to make exploits harder to write. The extended chain gets around ASLR by using a second vulnerability: a PHP local file read primitive on the same server. That flaw lets the researcher read files from the server's filesystem, including internal Linux process files that reveal where the NGINX worker process is loaded in memory. Once those addresses are known, the exploit can target the exact memory location it needs. The README carefully documents what conditions must be true for the exploit to work, including that PHP must be able to read certain process files and that HTTP/2 must be enabled. It is explicit that these are controlled lab conditions, not universal assumptions about real production servers. The vendor advisory and fixed versions are listed. NGINX Open Source versions 0.6.27 through 1.30.0 are affected, 1.31.0 and 1.30.1 contain the fix.
A private lab reproducing a critical NGINX heap overflow vulnerability, CVE-2026-42945, including an ASLR bypass chain.
Mainly Python. The stack also includes Python, NGINX.
Setup difficulty is rated hard, with roughly 1day+ to a first successful run.
Mainly researcher.
This repo across BitVibe Labs
Verify against the repo before relying on details.