NGINX Rift: Best Exploit PoCs for Security Researchers in 2026

What Is NGINX Rift?

NGINX Rift is a DepthFirstDisclosures GitHub proof of concept for CVE-2026-42945, a critical heap buffer overflow in NGINX's ngx_http_rewrite_module. It is one of the best Exploit PoCs tools for security researchers because it demonstrates unauthenticated remote code execution against servers using rewrite and set directives, and it ships in the same disclosure bundle as three other memory-corruption CVEs discovered by depthfirst's analysis system.

The repo is built for exploit developers who need a concrete lab target, not a generic write-up. It shows how a two-pass script engine bug can become a shell path when allocator behavior, request shaping, and NGINX pool lifetimes line up in the attacker's favor.

Quick Overview

Who Should Use NGINX Rift?

• Vulnerability researchers validating whether an NGINX instance exposes the rewrite-module attack surface and whether a crash can be turned into code execution.
• Exploit developers studying heap grooming, allocator adjacency, and ngx_pool_cleanup_s corruption in a controlled lab.
• Red team operators who need to reproduce a vendor advisory before a patch window closes and want a working chain instead of a paper exploit.
• AppSec teams reviewing whether their NGINX configuration uses rewrite and set patterns that widen the blast radius of a server-side memory bug.

Not ideal for:

• Teams that want passive scanning only; NGINX Rift is an active exploit PoC, not a banner-grabber.
• Engineers without an isolated lab, because the intended workflow includes shell access attempts and deliberate crash conditions.
• People looking for a beginner-safe demo, since the repo assumes comfort with Docker, NGINX internals, and memory-corruption concepts.

Key Features of NGINX Rift

• Two-pass rewrite engine reproduction — NGINX Rift models the size-calculation pass and the copy pass separately, which is the core bug. The first pass underestimates the required buffer because is_args is zeroed in the sub-engine, while the second pass expands escaped bytes with ngx_escape_uri.
• Realistic heap overflow path — The PoC uses attacker-controlled URI data to overflow an undersized heap buffer. That matters because the bug is not just a crash; it is a write primitive against adjacent heap objects.
• Cleanup-pointer corruption chain — NGINX Rift shows how adjacent ngx_pool_t structures can be targeted so the cleanup pointer lands on a fake ngx_pool_cleanup_s. That design choice turns pool teardown into a control-flow event.
• Cross-request heap shaping — The exploit relies on request sequencing and heap feng shui, not a single one-shot payload. POST-body spraying is used because URI bytes cannot carry nulls cleanly, so the exploit needs a separate allocation strategy for metadata placement.
• Lab-friendly packaging — The repository includes ./setup.sh and docker compose -f env/docker-compose.yml up so you can stand up the vulnerable server without hand-building an NGINX tree. That makes it easier to compare allocator behavior across runs.
• Version-focused impact data — NGINX Rift maps the issue to NGINX Open Source 0.6.27 – 1.30.0 and NGINX Plus R32 – R36, with fixed releases called out in the advisory. That lets you use the PoC for patch validation, not just curiosity.
• Shell-oriented end state — The repo's python3 poc.py --shell path is aimed at practical verification. It is meant to prove that the overflow can move past a crash into code execution in an isolated environment.

NGINX Rift vs Alternatives

Pick Metasploit Framework when you want payload orchestration and post-exploitation primitives across many targets, not a single vulnerability lab. Pick Exploit-DB when you need historical exploit references and disclosure context before building your own reproduction.

Pick Nuclei when your question is "is this host exposed?" rather than "can I drive this bug to code execution?" For adjacent workflows, OpenSwarm is useful when you want multi-agent triage around related findings, OpenTrace helps when you need request-path visibility while reproducing the issue, and Brainstorm MCP fits the ideation stage before you build a lab.

How NGINX Rift Works

NGINX Rift works by exploiting the mismatch between NGINX's length-calculation pass and its copy pass inside the rewrite script engine. The bug appears when a rewrite replacement contains ?, which toggles is_args in the main engine, but the sizing pass runs on a freshly zeroed sub-engine and therefore computes a smaller buffer than the copy pass later needs.

The actual overflow is driven by ngx_escape_uri with NGX_ESCAPE_ARGS, which can expand a single byte into three bytes. That makes the copied data larger than the heap allocation reserved during the first pass, so attacker-controlled URI bytes spill into the next allocation and corrupt neighboring metadata.

The exploit design then uses cross-request heap feng shui to place a target object next to the overflow region. The repo's write-up explains how a nearby ngx_pool_t cleanup list can be targeted so pool destruction eventually dispatches to a controlled function pointer, which is how a memory bug becomes code execution.

./setup.sh

docker compose -f env/docker-compose.yml up

python3 poc.py --shell

That sequence builds the vulnerable lab, starts the NGINX service in Docker, and runs the exploit script in shell mode. Expect the first two commands to prepare the environment and the last command to trigger the corruption path against the containerized server.

Pros and Cons of NGINX Rift

Pros:

• Gives you a reproducible lab for a real NGINX rewrite-module bug instead of a vague crash report.
• Shows the exact two-pass sizing vs copying mistake that caused the overflow, which makes code review faster.
• Documents the affected and fixed version ranges, which is useful for patch triage.
• Demonstrates a realistic exploitation chain with heap shaping and cleanup-pointer abuse.
• Includes Docker-based setup steps, which reduces environment drift when you compare runs.
• Serves as a clean reference for allocator behavior, request parsing, and pool teardown in NGINX.

Cons:

• It is narrowly scoped to one class of NGINX memory corruption, so it is not a general-purpose scanner.
• It assumes a lab mindset and can be misused if run outside an isolated environment.
• The exploit path depends on memory layout and request sequencing, so reliability is not guaranteed across every build.
• It is tied to specific NGINX branches and patch levels, which limits reuse on unrelated targets.
• The repo does not read like a turnkey product; you still need to understand NGINX internals to adapt it safely.

Getting Started with NGINX Rift

Run the setup script, start the compose stack, and then execute the proof of concept from the repository root.

./setup.sh

docker compose -f env/docker-compose.yml up

python3 poc.py --shell

After those commands finish, you should have a vulnerable NGINX instance running in Docker and a PoC that attempts to trigger the overflow against it. The page says the lab was tested on Ubuntu 24.04.3 LTS, so use a Linux host with Docker Engine and Python 3 if you want the same execution path.

The first run may require you to confirm Docker permissions or pull base images. If the exploit does not land on the first attempt, verify that the targeted NGINX build matches the affected version range and that the rewrite and set directives are present in the test configuration.

Verdict

NGINX Rift is the strongest option for validating NGINX rewrite-module exposure when you need a real RCE chain in a disposable lab. Its main strength is the clear, reproducible heap-overflow path; its caveat is that it is tightly scoped to specific NGINX versions and allocator conditions. Use it for research and patch verification, not production troubleshooting.