Situation
Vulnerability CVE-2026-42945 affecting nginx has been discovered. All nginx versions released within the last 18 years prior to versions 1.31.1 and 1.30.1 are vulnerable if rewrite rules referencing unnamed regex captures (such as $1) are present.
Plesk ships nginx as part of its core installation and may be affected depending on the server's nginx version and rewrite rule configuration.
Impact
Unauthenticated attackers can crash nginx (Denial of Service) on any server where rewrite rules referencing unnamed captures are in use.
If Address Space Layout Randomization (ASLR) is disabled, attackers may additionally execute arbitrary code remotely as the nginx user (Remote Code Execution). Most Linux distributions enable ASLR by default. This risk primarily affects Windows servers.
Affected versions
Warning: After updating Plesk, the installed nginx version may remain on the stable branch as 1.30.1. This version already contains the fix for CVE-2026-42945 and is not vulnerable. It is not required to update to 1.31.x to be protected.
-
Verify the installed Nginx version. Connect to the server via SSH and run:
# nginx -v
If the installed version is below
1.31.0(mainline) or below1.30.1(stable), the nginx binary is vulnerable and must be updated. -
Check for vulnerable rewrite rules. Even if the binary version is below the fixed release, the DoS attack vector only applies if your configuration contains rewrite rules that reference unnamed regex captures. Run
# nginx -T 2>/dev/null | grep -E 'rewrite.*\$[0-9]'
If one or more lines returned means vulnerable rewrite rules found — the server is exposed to the DoS vector and nginx must be updated.
Call to action
Update Plesk to the latest version:
# plesk installer --select-release-current --upgrade-installed-components
Mitigation
If immediate action is required before the Plesk fix is released, apply one or both of the following mitigations:
-
Remove or rewrite affected rewrite rules. Replace unnamed regex captures (
$1,$2, etc.) with named captures (e.g.(?P<name>pattern)) in all nginx configuration files. -
Ensure ASLR is enabled to reduce the risk to DoS only.
Verify the current state:
# cat /proc/sys/kernel/randomize_va_space
If the output is not
2, enable ASLR for the running system:# echo 2 /proc/sys/kernel/randomize_va_space
To persist the setting after a reboot, add the following line to
/etc/sysctl.conf:CONFIG_TEXT: kernel.randomize_va_space = 2
Then apply:
# sysctl -p
Comments
please correct 2/dev/null to 2>/dev/null in the command
nginx -T 2/dev/null | grep -E 'rewrite.*\$[0-9]'Youcef Nafa thanks for flagging, it has been fixed!
If the output from the “plesk installer” command is as shown below, does that mean the server is OK?
You already have the latest version of product(s) and all the selected components installed. Installation will not continue.
Paul Larson if you can please check the output of
nginx -v. As long as it is equal or higher to 1.30.1, you're in the clear.Please sign in to leave a comment.