NGINX Rift: An 18-Year-Old Vulnerability Found by AI

Hinzugefügt: 2026-05-16

[00:00:00]18 years. That's how long a heap overflow bug has sat undiscovered in Engine X, the web server software that powers roughly a third of public websites.

[00:00:10]Then, an AI scanner pointed at the source code and flagged it in just 6 hours.

[00:00:17]The flaw is called Engine X Rift, disclosed yesterday by research firm Depth First. F5, which maintains Engine X, confirmed the bug and shipped patches the same day. That's quick.

[00:00:28]It was introduced way back in Engine X 0.6.27 in 2008 and stayed in every release through 1.30.0.

[00:00:37]If you don't know, Engine X is an open-source web server. You've probably been using it all day. Things like Netflix video delivery, wordpress.com, and Pinterest all run on it, along with plenty of other major sites. If you've got a home lab with a front end, it's probably in your stack, too.

[00:00:53]The Rift bug lives in the Engine X URL rewriting code. The part that handles rules like, "If a URL looks like A, change it to B."

[00:01:03]It triggers on a config pattern Depth First calls common. A rewrite rule using a particular pattern match shortcut, a question mark in the new URL, and another rule right after. When those three line up, Engine X miscalculates how much memory it needs. It measures the space one way, but writes another.

[00:01:24]The result is a heap overflow.

[00:01:27]Anyone who can reach a vulnerable server can crash it with one crafted HTTP request. No login required.

[00:01:35]Bleeping Computer reports the bug can also be exploited for remote code execution, RCE, under certain conditions.

[00:01:44]The public proof of concept demonstrates full code execution, but only with ASLR turned off.

[00:01:52]ASLR is enabled by default, so denial of service is broadly reachable, while RCE on a default install is harder.

[00:02:00]Depth first runs an AI-powered source code analysis system. They pointed it at Engine X, and inside 6 hours it flagged four memory corruption issues, and a bug that survived 18 years of public code review, flagged by an autonomous scanner on its first run.

[00:02:18]So, if you're running Engine X older than 1.31.0 or 1.30.1, upgrade. If you can't upgrade right away, audit your config for the trigger pattern and apply the workaround from F5's advisory.

[00:02:32]A lot of the internet runs on decades of handwritten C that no human has had time to fully audit. The scanners are now doing it, whether they're good scanners or bad scanners.