Content
Summary
The safeline-tengine:9.3.7 image ships nginx/1.28.3 (Tengine), which falls within the affected range of CVE-2026-42945 — a heap buffer overflow in ngx_http_rewrite_module disclosed by F5 on 2026-05-13 (CVSS v3.1 8.1 / CVSS v4 9.2).
Upstream nginx fixed this in 1.30.1 and 1.31.0. Tengine merged a backport to master on 2026-05-15 (alibaba/tengine#2027); no tagged Tengine release containing the fix has been published yet at the time of this issue.
Environment
SafeLine: 9.3.7 (community edition)
Image: swr.cn-east-3.myhuaweicloud.com/chaitin-safeline/safeline-tengine:9.3.7
nginx -v inside container: nginx/1.28.3
Affected versions (upstream)
nginx Open Source: 0.6.27 – 1.30.0 — fixed in 1.30.1 / 1.31.0
Tengine: fix merged to master via PR #2027, no tagged release yet
Exploitation conditions
The vulnerability is reachable only when all three conditions hold in the same scope:
A rewrite directive uses an unnamed PCRE capture ($1, $2, …)
The replacement string contains ?
Another rewrite, if, or set directive follows
In one SafeLine deployment I inspected, the auto-generated configs under /etc/nginx/sites-enabled/ use patterns like:
set $should_rewrite 0;
if ($host !~* ^(example\.com)$) { set $should_rewrite 1; }
if ($should_rewrite) { rewrite ^ /.safeline/not_found_page last; }These do not match the trigger pattern. User-defined site configurations could differ.
References
nginx security advisory: https://nginx.org/en/security_advisories.html
Upstream fix: nginx/nginx@524977e
Tengine backport: alibaba/tengine#2027
Content
Summary
The safeline-tengine:9.3.7 image ships nginx/1.28.3 (Tengine), which falls within the affected range of CVE-2026-42945 — a heap buffer overflow in ngx_http_rewrite_module disclosed by F5 on 2026-05-13 (CVSS v3.1 8.1 / CVSS v4 9.2).
Upstream nginx fixed this in 1.30.1 and 1.31.0. Tengine merged a backport to master on 2026-05-15 (alibaba/tengine#2027); no tagged Tengine release containing the fix has been published yet at the time of this issue.
Environment
SafeLine: 9.3.7 (community edition)
Image: swr.cn-east-3.myhuaweicloud.com/chaitin-safeline/safeline-tengine:9.3.7
nginx -v inside container: nginx/1.28.3
Affected versions (upstream)
nginx Open Source: 0.6.27 – 1.30.0 — fixed in 1.30.1 / 1.31.0
Tengine: fix merged to master via PR #2027, no tagged release yet
Exploitation conditions
The vulnerability is reachable only when all three conditions hold in the same scope:
A rewrite directive uses an unnamed PCRE capture ($1, $2, …)
The replacement string contains ?
Another rewrite, if, or set directive follows
In one SafeLine deployment I inspected, the auto-generated configs under /etc/nginx/sites-enabled/ use patterns like:
These do not match the trigger pattern. User-defined site configurations could differ.
References
nginx security advisory: https://nginx.org/en/security_advisories.html
Upstream fix: nginx/nginx@524977e
Tengine backport: alibaba/tengine#2027