Listen to this Post
CVE‑2026‑8711 is a critical heap‑based buffer overflow vulnerability in the NGINX JavaScript (njs) module that arises when the `js_fetch_proxy` directive is configured with at least one client‑controlled NGINX variable (e.g., $http_, $arg_, $cookie_) and a location block invokes the `ngx.fetch()` operation.
In a vulnerable configuration, the `js_fetch_proxy` directive dynamically expands a proxy URL or upstream parameter using values that are fully controlled by an HTTP client – for instance, using `$http_x_user` from an incoming request header. When `ngx.fetch()` is later called, the njs module attempts to construct the target URL or backend request string by concatenating these user‑supplied variables without proper bounds checking. An attacker can send a crafted HTTP request that supplies an excessively long or specially structured string (e.g., a huge `X‑User` header or a deeply nested `arg_` parameter). Because no length validation is performed, the memory allocation routine in `ngx_http_js_module` writes past the boundaries of the allocated heap buffer, corrupting adjacent heap metadata or other heap‑allocated objects.
The flaw was introduced in the `dea83189` commit, which landed in njs version 0.9.4, and remained present through version 0.9.8. In practice, the overflow typically triggers a segmentation fault, causing the NGINX worker process to crash and restart. On systems where Address Space Layout Randomization (ASLR) is disabled – or if the attacker can bypass ASLR through a memory leak or predictable heap layout – the overflow can be weaponized to overwrite a function pointer or a return address, leading to full remote code execution (RCE) under the privileges of the NGINX worker process. F5 has confirmed that this is a pure data‑plane issue; no control‑plane exposure exists. However, any internet‑facing server that uses the njs module with `js_fetch_proxy` and client‑controlled variables is at immediate risk. The vulnerability is catalogued under CWE‑122 (Heap‑based Buffer Overflow) and carries a CVSS v3.1 base score of 8.1 (High) , with a CVSS v4.0 score of 9.2 (Critical) . A public proof‑of‑concept is available, and the CISA Known Exploited Vulnerabilities catalog lists it as having known exploitation activity in the wild.
DailyCVE Form:
Platform: nginx njs
Version: 0.9.4 – 0.9.8
Vulnerability: Heap buffer overflow
Severity: Critical (CVSS 9.2)
date: 2026‑05‑19
Prediction: Patch already released
What Undercode Say
The following commands can be used to audit an NGINX installation for the vulnerable njs module and to verify whether your configuration is susceptible.
Check njs module version:
For NGINX Plus / open source with njs installed: nginx -V 2>&1 | grep -o 'njs-[0-9.]+' Or query the dynamic module: dpkg -l | grep njs rpm -qa | grep njs
Inspect running NGINX configuration for dangerous patterns:
Look for js_fetch_proxy combined with client‑controlled variables nginx -T 2>/dev/null | grep -A 5 -B 5 "js_fetch_proxy" | grep -E '\$(http_|arg_|cookie_)'
Example of a vulnerable location block (F5 advisory example):
server {
listen 127.0.0.1:8080;
server_name localhost;
location / {
Client controlled variable expansion into URL contents
js_fetch_proxy http://$http_x_user:[email protected]:3128;
js_content main.fetcher;
}
}
Patch verification (fixed version is njs 0.9.9):
Update njs module – adjust to your package manager sudo apt update && sudo apt install libnginx-mod-js Debian/Ubuntu sudo yum update nginx-module-njs RHEL/CentOS Or compile from source: git clone https://github.com/nginx/njs.git cd njs && git checkout tags/0.9.9 && ./configure && make && sudo make install
Exploit
The overflow is triggered by sending an HTTP request that provides an oversized client‑controlled variable whose value is later expanded into the proxy URL without bounds checking. Because `ngx.fetch()` uses the expanded string to open a backend connection, the heap corruption occurs during that string‑construction phase.
Proof‑of‑concept attack (curl):
curl -H "X-User: $(python3 -c 'print("A"5000)')" \
-H "X-Password: password" \
http://target-nginx/vulnerable-location/
Repeatedly sending such a request crashes the worker process, leading to a permanent crash loop (DoS). On systems without ASLR, the overflow can be refined to overwrite a saved return address or a function pointer, gaining shell access under the nginx worker user.
Protection
- Upgrade immediately to njs version 0.9.9 or later – the official patch was released on 2026‑05‑19.
- Avoid using client‑controlled variables ( `$http_` , `$arg_` , `$cookie_` ) inside
js_fetch_proxy. If dynamic values are required, validate and sanitize them inside a JavaScript handler before passing them tongx.fetch(). - Enable ASLR on all systems that host NGINX. On Linux, verify with:
cat /proc/sys/kernel/randomize_va_space should return 2
- Temporarily disable `js_fetch_proxy` or remove any vulnerable location blocks if patching is not immediately possible.
- Deploy a WAF or edge firewall to block requests containing unusually long HTTP headers or parameters that match known attack patterns.
Impact
- Denial of Service (DoS) – Repeated crafted requests force the NGINX worker to crash and restart, making the server unresponsive (high availability impact).
- Remote Code Execution (RCE) – When ASLR is disabled or bypassed, an attacker can execute arbitrary code with the privileges of the NGINX worker, potentially leading to full system compromise.
- Data leakage / further exploitation – Even without RCE, the heap overflow can corrupt memory in ways that leak sensitive data or facilitate chaining with other vulnerabilities.
- Wide exposure – NGINX powers over 30% of active websites; any public‑facing server using the njs module with the vulnerable configuration is at immediate risk.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
