Update your nginx instances
cross-posted from: https://lemmy.world/post/46851448
- Affected an non-affected versions https://nginx.org/en/security_advisories.html
- CVE record https://www.cve.org/CVERecord?id=CVE-2026-42945
- CVE details https://nvd.nist.gov/vuln/detail/CVE-2026-42945
- PoC https://github.com/DepthFirstDisclosures/Nginx-Rift
CVE - Common Vulnerabilities and Exposures system
RCE - Remote Code Execution
PoC - Proof of Concept
You can use pnpm instead of npm. pnpm has a “Delay dependency updates” feature where you can install package versions that are x old only.
See https://pnpm.io/supply-chain-security#delay-dependency-updates
Edit: I just found out, that this can also be specified in npm and yarn: https://gist.github.com/mcollina/b294a6c39ee700d24073c0e5a4e93104