A critical heap overflow in NGINX’s ngx_http_rewrite_module — present for approximately 18 years — allows unauthenticated RCE with a single HTTP request and has a public exploit available. The blast radius spans NGINX Open Source, NGINX Plus, and a broad F5 product family including App Protect WAF, Gateway Fabric, and Ingress Controller. End-of-life legacy NGINX versions will not receive patches.