Nginx CVE-2026-42945

[wirehire]

Hey,

which version runs on the opnsense plugin for nginx?

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=295270

it came a to a critical heat buffer overflow.

Greets

[meyergru]

That would be nginx-1.30.0,3, but only if you actually install the plugin.

[wirehire]

so the fix is not in the version. it is possible to update from the cli? or only wait for the new plugin?

[Patrick M. Hausen]

A new version of the plugin is not necessary but OPNsense needs to release an updated version of the NginX package.

If you use the plugin you can more or less easily check if you are affected by the most serious of the current set of vulnerabilities, which you correctly identified as CVE-2026-42945. It gives an unauthenticated RCE (remote code execution). Big bada-boom.

Put probably you don't need to worry.

1. Finde the location of the NginX configuration in OPNsense - if I read the plugin source correctly, it's in /usr/local/etc/nginx just like in a regular FreeBSD install.

2. Inspect all configuration files in there for "rewrite" statements. If there are none, you are not affected.

3. Inspect all rewrite statements for occurrences of an unnamed regular expression capture in the match expression, i.e. a regular expression wrapped in parentheses e.g. like so:

Code Select Expand

(.*)

4. If an unnamed regular expression capture is found, does the replace expression contain a question mark, e.g. like so:

Code Select Expand

/index.php?page=$1

If no such expression is found you are also not affected.

HTH,
Patrick

[wirehire]

thanks, i look and found nothing. but zero trust on me , so i wait for the patch , and closed the front.

i though the packages come directly from freebsd , so a okg update ngixn worked. so thanks for the inside!