NGINX Poolslip 0‑Day RCE: Should You Panic?

0‑Day RCE in NGINX 1.31.0 (nginx‑poolslip)

On 21 May 2024 NebSec researcher Vega disclosed a zero‑day vulnerability named nginx‑poolslip affecting the latest stable release NGINX 1.31.0. The flaw resides in the internal memory‑pool structure ngx_pool_t, which each worker process uses for all request‑lifetime allocations. A specially crafted HTTP request can trigger an out‑of‑bounds write or a use‑after‑free during pool allocation, resulting in unauthenticated remote code execution. No official patch exists at the time of disclosure.

How the memory‑pool is corrupted

Each worker maintains its own ngx_pool_t. The pool stores pointers to allocated objects; if any pointer is overwritten, the entire pool becomes corrupted. The exploit manipulates the allocation/release sequence so that an address overflow or reuse‑after‑free occurs, corrupting the pool metadata and allowing arbitrary code execution. The full exploitation chain has not been published; only the vulnerability name and the requirement for a specific configuration state are known.

Configuration‑based exploitability

Independent researcher XorNinja downloaded more than 4,000 public NGINX configuration files from GitHub and searched for the patterns required to trigger nginx‑poolslip. Result: zero matches. Another researcher, Yanir_ , noted that ASLR‑bypass attempts are futile because the necessary configuration does not appear in real deployments; if an attacker can read host files, the system is already compromised.

Recent NGINX vulnerabilities (context)

nginx‑rift (CVE‑2026‑42945) – disclosed 13 May 2024 by DepthFirst AI. A chain of four CVEs, the most severe being a heap buffer overflow in ngx_http_rewrite_module that requires the rewrite + set directive combination. CVSS 9.2. Patched after disclosure.

njs module vulnerability (CVE‑2026‑8711) – disclosed around 19 May 2024. A heap overflow triggered via ngx.fetch() and the js_fetch_proxy directive, which must be explicitly enabled. Classified as high severity. Patched after disclosure.

nginx‑poolslip – disclosed 21 May 2024. Exploit requires a non‑default configuration that enables a particular state transition in the memory pool. No patch available yet; CVSS not assigned.

All three vulnerabilities share a common trait: they depend on modules or directives that are disabled by default and must be explicitly enabled in nginx.conf. This reflects NGINX’s modular architecture, where only configured modules participate in request processing.

Practical mitigation steps

Verify NGINX version

nginx -v
# Example output: nginx version: nginx/1.31.0

If the output shows 1.31.0, upgrade to the latest stable release (at least 1.31.1) as soon as it becomes available.

Audit configuration for risky modules Inspect nginx.conf for any of the following enabled settings: ngx_http_rewrite_module with the rewrite + set combination ngx_http_js_module (njs) enabled js_fetch_proxy directive ngx_http_scgi_module or ngx_http_uwsgi_module Standard reverse‑proxy + SSL termination + static file serving typically does not use these directives.

Strengthen WAF / perimeter controls

Block external access to /nginx_status and /status endpoints.

Filter excessively large HTTP headers and malformed request lines.

Run worker processes under a low‑privilege user.

Monitor official security advisories nginx‑poolslip remains a 0‑day with no public PoC or patch. Track announcements from NGINX/F5 and apply patches immediately when released.

Takeaway

The vulnerability is real, but exploitation requires a narrow, non‑default configuration path. Analysis of thousands of real‑world configurations shows that typical reverse‑proxy setups are unlikely to be vulnerable, though the risk cannot be dismissed until a full PoC and patch are published.