Critical 9.2 CVSS: NGINX JavaScript Module Flaw (CVE-2026-8711) Triggers Heap Buffer Overflows

F5 has issued a critical security advisory warning administrators about a severe vulnerability lurking within the NGINX JavaScript (njs) module. Tracked as CVE-2026-8711, the flaw carries a Critical CVSS v4.0 score of 9.2, emphasizing the high risk it poses to modern web infrastructure utilizing custom JavaScript logic at the proxy layer.

The security advisory explicitly defines the dangerous combination of configuration parameters required to expose a system:”NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (for example, $http_, $arg_, $cookie_*) and a location invoking the ngx.fetch() operation from NGINX JavaScript.”

If these specific conditions are met, the implications are severe: “An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart.”

The vulnerability is strictly isolated to the data plane, meaning there is no control plane exposure. Instead, the threat materializes when NGINX handles active, incoming traffic.

When the js_fetch_proxy directive dynamically expands user-controlled headers (like $http_x_user), URL parameters ($arg_*), or session cookies ($cookie_*), it fails to safely bounds-check the resulting string buffer during a backend network call triggered by ngx.fetch(). An unauthenticated attacker can submit an intentionally malformed HTTP request with bloated or structured headers to overflow the heap memory allocated to the NGINX worker process.

To help security teams audit their environments, F5 provided a textbook example of a vulnerable server block configuration:

server {
    listen 127.0.0.1:8080;
    server_name localhost;       

    location / {
            # Client controlled variable expansion into URL contents
            # Example below x-user and x-password headers are used to construct the proxy URL
            # main.fetcher is a JavaScript function defined in the js file that calls ngx.fetch with the constructed URL
            js_fetch_proxy http://$http_x_user:$http_x_password@127.0.0.1:3128;
            js_content main.fetcher;
    }
 }

The real-world impact of CVE-2026-8711 splits into two major categories depending on the target system’s underlying operating system hardening:

• Denial of Service (DoS): On standard, modern systems, the heap buffer overflow will corrupt worker process memory and trigger an immediate segmentation fault, forcing the NGINX worker process to crash and restart. By continuously firing crafted HTTP requests, an attacker can trap the web server in a permanent crash loop, effectively knocking the application offline.
• Remote Code Execution (RCE): The advisory drops a critical warning for specialized or legacy environments : “Additionally, for systems with Address Space Layout Randomization (ASLR) disabled, code execution is possible.” Without ASLR to randomize memory offsets, a sophisticated attacker can structure their payload to reliably hijack the instruction pointer, leaping from a basic application crash to full shell execution under the context of the NGINX worker process.

The flaw impacts the core 0.x branch of the NGINX JavaScript (njs) module. Specifically, versions 0.9.4 through 0.9.8 are confirmed to be vulnerable.

F5 notes that the issue has been successfully resolved in NGINX JavaScript 0.9.9.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Do Son

Do Son (aka Ddos) is a seasoned news reporter, bringing over a decade of expertise to the forefront of cyber security and technology reporting. My work provides timely and insightful analysis of emerging trends and critical developments in these rapidly evolving sectors.