CVE-2026-27654: nginx WebDAV: heap-buffer-overflow in COPY/MOVE with alias directive
CVE-2026-27654 is verified against nginx · source affected versions: OSS 0.5.13–0.9.7, 1.0.0–1.28.2, 1.29.0–1.29.6; Plus R32–R36 vulnerability class: RCE This high reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00171.
pruva-verify REPRO-2026-00171 curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00171/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh ngx_http_dav_module handles WebDAV PUT/DELETE/MKCOL/COPY/MOVE. For COPY and MOVE it constructs the destination filesystem path from the request's Destination: header. When the matched location uses alias /some/dir/; (rather than root) and a prefix that doesn't match the URI segment 1:1, the length calculation that sizes the destination string buffer underestimates by the alias substitution offset. The destination filename is then written past the end of a heap allocation in the nginx worker process — a heap-buffer-overflow write reachable unauthenticated on any nginx host that turns on dav_methods under such a location.
The reachable side effects depend on what the overflow corrupts:
- denial-of-service via worker crash and respawn loop;
- in some configurations, arbitrary file write at controllable paths (the F5 advisory rates impact "I:L A:H");
- possible escalation to RCE via worker-heap corruption (not guaranteed, depends on allocator state).
Variant analysis
The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.
Loading session...
Scripts, logs, diffs, and output captured during the reproduction.