New NGINX Vulnerability Allow Remote Attackers to Trigger Malicious Code

A new vulnerability in NGINX JavaScript (njs), tracked as CVE‑2026‑8711, allows unauthenticated remote attackers to trigger a heap‑based buffer overflow that can lead to denial‑of‑service and, in some conditions, remote code execution in the NGINX worker process.

The flaw is tied to how the js_fetch_proxy directive handles client‑controlled variables when combined with the ngx.fetch() operation from NGINX JavaScript.

The issue arises in the ngx_http_js_module module when js_fetch_proxy is configured with at least one client‑controlled NGINX variable such as , , or .

If a location then invokes an NJS function that calls ngx.fetch(), an attacker can send crafted HTTP requests that result in a heap buffer overflow in the NGINX worker process.

NGINX Buffer Overflow Vulnerability

The vulnerability is classified as CWE‑122: Heap‑based Buffer Overflow and is tracked internally by F5 as ID 160 for NGINX Plus and NGINX OSS.

This defect primarily causes worker process crashes and automatic restarts, effectively producing a denial‑of‑service (DoS) condition on the NGINX data plane.

On systems where Address Space Layout Randomization (ASLR) is disabled or poorly configured, the overflow may be exploitable to execute arbitrary code in the worker context.

The vulnerability affects NGINX JavaScript (njs) versions 0.9.4 through 0.9.8, with the fix introduced in njs 0.9.9.

The impacted component is the ngx_http_js_module module, which exposes NJS-based HTTP processing directives such as js_content and js_fetch_proxy.

A typical vulnerable pattern is a configuration in which js_fetch_proxy constructs a proxy URL using client‑supplied headers, for example, $http_x_user and $http_x_password, and js_content points to an NJS function (for example, main.fetcher) that calls ngx.fetch() with that URL.

In this setup, an attacker can manipulate those header values to corrupt heap memory in the NGINX worker and repeatedly crash it.

F5 stated in article K000161307 that the issue is limited to the data plane and does not affect the control plane.

Other F5 products and services, such as BIG‑IP, BIG‑IQ, BIG‑IP Next, F5OS, and F5 Distributed Cloud services, are reported as not vulnerable to CVE‑2026‑8711 in their evaluated versions.

Administrators running affected njs versions are strongly advised to upgrade to NGINX JavaScript 0.9.9 or later as the primary remediation.

Environments where the “Versions known to be vulnerable” column applies should move to a release listed in the “Fixes introduced in” column or later.

Where an immediate upgrade is not possible, operators should review configurations for js_fetch_proxy usage with client‑controlled variables and refactor or remove these patterns, and ensure that ASLR is enabled on all NGINX hosts to hinder code‑execution attempts.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.