NGINX has a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart.

For EAR, the following buildpacks include nginx:

• staticfile-offline-buildpack
• php-offline-buildpack
• nginx-offline-buildpack

The vulnerable versions of nginx are 0.6.27-1.30.0

TPCF/EAR

The vulnerable code path requires a specific rewrite directive pattern with unnamed captures + ? replacement. The buildpacks ship nginx as a user-app runtime and don't configure nginx themselves with those directives — the app's nginx config drives that. So the buildpack itself isn't exploitable, but any user app that uses those rewrite patterns can be.

This vulnerability has been resolved in the following buildpack releases.

• Staticfile Buildpack: v1.6.83

• NGINX Buildpack: v1.2.82

• PHP Buildpack: v4.6.80

For further updates regarding this change, please refer to the official buildpack release notes here:

• Tanzu Commercial Buildpacks Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2026-42945