Skip to content
Verified reproduction

CVE-2026-27654: nginx WebDAV: heap-buffer-overflow in COPY/MOVE with alias directive

CVE-2026-27654 is verified against nginx · source affected versions: OSS 0.5.13–0.9.7, 1.0.0–1.28.2, 1.29.0–1.29.6; Plus R32–R36 vulnerability class: RCE This high reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00171.

REPRO-2026-00171 nginx · source RCE Variant found May 28, 2026 CVE entry .txt
Severity HIGH
Confidence HIGH
Reproduced in 21m 40s
Tool calls 173
Spend $1.68
Affected OSS 0.5.13–0.9.7, 1.0.0–1.28.2, 1.29.0–1.29.6; Plus R32–R36
$ pruva-verify REPRO-2026-00171
or curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00171/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh
Run in a VM or disposable container. This exploits a real vulnerability.
02 · The vulnerability

ngx_http_dav_module handles WebDAV PUT/DELETE/MKCOL/COPY/MOVE. For COPY and MOVE it constructs the destination filesystem path from the request's Destination: header. When the matched location uses alias /some/dir/; (rather than root) and a prefix that doesn't match the URI segment 1:1, the length calculation that sizes the destination string buffer underestimates by the alias substitution offset. The destination filename is then written past the end of a heap allocation in the nginx worker process — a heap-buffer-overflow write reachable unauthenticated on any nginx host that turns on dav_methods under such a location.

The reachable side effects depend on what the overflow corrupts:

  • denial-of-service via worker crash and respawn loop;
  • in some configurations, arbitrary file write at controllable paths (the F5 advisory rates impact "I:L A:H");
  • possible escalation to RCE via worker-heap corruption (not guaranteed, depends on allocator state).
03 · Root cause
Variant analysis
04 · Reproduction transcript

The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.

Loading session...

05 · Artifacts

Scripts, logs, diffs, and output captured during the reproduction.

bundle/context.json2.5 KB
bundle/metadata.json0.6 KB
bundle/ticket.md5.0 KB
bundle/repro/rca_report.md6.8 KB
bundle/repro/reproduction_steps.sh4.8 KB
bundle/repro/validation_verdict.json1.2 KB
bundle/repro/nginx.conf0.5 KB
bundle/vuln_variant/root_cause_equivalence.json1.3 KB
bundle/vuln_variant/rca_report.md8.0 KB
bundle/vuln_variant/patch_analysis.md4.6 KB
bundle/vuln_variant/variant_manifest.json3.1 KB
bundle/vuln_variant/runtime_manifest.json2.5 KB
bundle/vuln_variant/reproduction_steps.sh6.9 KB
bundle/vuln_variant/validation_verdict.json1.4 KB
bundle/logs/vuln_prefix_curl_err.txt0.0 KB
bundle/logs/vuln_exact_stdout.txt0.0 KB
bundle/logs/fixed_prefix_curl_err.txt0.0 KB
bundle/logs/fixed_stderr.txt0.0 KB
bundle/logs/vuln_urlenc_curl.txt0.0 KB
bundle/logs/vuln_nested_curl_err.txt0.0 KB
bundle/logs/test_stderr.txt0.0 KB
bundle/logs/fixed_prefix_stderr.txt0.0 KB
bundle/logs/fixed_nested_curl_err.txt0.0 KB
bundle/logs/vulnerable_asan.txt3.2 KB
bundle/logs/fixed_script_curl.txt0.2 KB
bundle/logs/vuln_prefix.182683.2 KB
bundle/logs/vuln_move_stderr.txt0.0 KB
bundle/logs/fixed_exact_curl.txt0.2 KB
bundle/logs/fixed_nested_stdout.txt0.0 KB
bundle/logs/asan_vulnerable.170163.2 KB
bundle/logs/variant_final.log1.1 KB
bundle/logs/vuln_exact_curl_err.txt0.0 KB
bundle/logs/fixed_curl_err.txt0.0 KB
bundle/logs/fixed_urlenc_stderr.txt0.0 KB
bundle/logs/fixed_script_curl_err.txt0.0 KB
bundle/logs/vuln_script_stdout.txt0.0 KB
bundle/logs/fixed_nested_stderr.txt0.0 KB
bundle/logs/fixed_move_stdout.txt0.0 KB
bundle/logs/fixed_script_stdout.txt0.0 KB
bundle/logs/vuln_move_stdout.txt0.0 KB
bundle/logs/fixed_move_curl_err.txt0.0 KB
bundle/logs/error.log8.6 KB
bundle/logs/vuln_script_curl.txt0.0 KB
bundle/logs/fixed_script_stderr.txt0.0 KB
bundle/logs/vuln_prefix_stdout.txt0.0 KB
bundle/logs/fixed_move_stderr.txt0.0 KB
bundle/logs/vuln_move.182923.2 KB
bundle/logs/fixed_nested_curl.txt0.2 KB
bundle/logs/vuln_script.182863.2 KB
bundle/logs/vuln_script_curl_err.txt0.0 KB
bundle/logs/vuln_nested_stdout.txt0.0 KB
bundle/logs/vulnerable_curl_err.txt0.0 KB
bundle/logs/fixed_exact_stdout.txt0.0 KB
bundle/logs/vuln_nested.182803.2 KB
bundle/logs/test_stdout.txt0.0 KB
bundle/logs/fixed_prefix_stdout.txt0.0 KB
bundle/logs/fixed_urlenc_curl_err.txt0.0 KB
bundle/logs/vuln_nested_stderr.txt0.0 KB
bundle/logs/access.log3.3 KB
bundle/logs/vuln_script_stderr.txt0.0 KB
bundle/logs/vulnerable_stdout.txt0.0 KB
bundle/logs/vuln_urlenc_stdout.txt0.0 KB
bundle/logs/variant_tests.log0.1 KB
bundle/logs/vuln_prefix_curl.txt0.0 KB
bundle/logs/vuln_nested_curl.txt0.0 KB
bundle/logs/fixed_move_curl.txt0.2 KB
bundle/logs/vuln_move_curl_err.txt0.0 KB
bundle/logs/vulnerable_curl.txt0.0 KB
bundle/logs/test_curl_err.txt0.0 KB
bundle/logs/test_curl.txt0.0 KB
bundle/logs/vuln_urlenc_stderr.txt0.0 KB
bundle/logs/vuln_move_curl.txt0.0 KB
bundle/logs/fixed_exact_stderr.txt0.0 KB
bundle/logs/nginx.pid0.0 KB
bundle/logs/vuln_exact.182743.2 KB
bundle/logs/vuln_urlenc_curl_err.txt0.0 KB
bundle/logs/fixed_urlenc_stdout.txt0.0 KB
bundle/logs/fixed_curl.txt0.2 KB
bundle/logs/vulnerable_stderr.txt0.0 KB
bundle/logs/fixed_stdout.txt0.0 KB
bundle/logs/vuln_exact_curl.txt0.0 KB
bundle/logs/vuln_prefix_stderr.txt0.0 KB
bundle/logs/vuln_exact_stderr.txt0.0 KB
bundle/logs/vuln_urlenc.182983.2 KB
bundle/logs/fixed_exact_curl_err.txt0.0 KB
bundle/logs/fixed_urlenc_curl.txt0.2 KB
bundle/logs/fixed_prefix_curl.txt0.2 KB