https://depthfirst.com/research/nginx-rift-achieving-nginx-rce-via-an-18-year-old-vulnerability
A security vulnerability that has existed in the Nginx web server for eighteen years has been discovered and disclosed, raising serious concerns about the stability and security of a vast portion of the world’s internet infrastructure. The flaw affects the way Nginx handles certain HTTP requests and can be exploited to trigger a denial-of-service condition, potentially crashing the server and taking down any websites or applications running on it. More alarmingly, researchers have indicated there is also potential for the vulnerability to be leveraged for remote code execution, which would allow an attacker to run malicious commands on the affected server without any physical access.
Nginx is one of the most widely deployed web servers on the planet, powering a significant percentage of the world’s busiest websites, applications, and APIs. Its popularity extends across every sector, including banking, e-commerce, healthcare, and government — all of which have a substantial presence in Australia. The fact that this flaw has gone undetected for nearly two decades is a sobering reminder that even battle-tested, open-source software that undergoes constant scrutiny from the global developer community can harbour critical security weaknesses for extraordinarily long periods of time.
Administrators running Nginx are strongly urged to review the disclosed vulnerability details and apply any available patches or mitigations as a matter of priority. Given the sheer scale of Nginx’s deployment globally and in Australia, the attack surface is enormous and any delay in patching could leave critical services exposed to disruption or compromise.