The flaw is tied to how the js_fetch_proxy directive handles client‑controlled variables when combined with the ngx.fetch() operation from NGINX JavaScript.
The issue arises in the ngx_http_js_module module when js_fetch_proxy is configured with at least one client‑controlled NGINX variable such as , , or .
If a location then invokes an NJS function that calls ngx.fetch(), an attacker can send crafted HTTP requests that result in a heap buffer overflow in the NGINX worker process.
The vulnerability is classified as CWE‑122: Heap‑based Buffer Overflow and is tracked internally by F5 as ID 160 for NGINX Plus and NGINX OSS.
This defect primarily causes worker process crashes and automatic restarts, effectively producing a denial‑of‑service (DoS) condition on the NGINX data plane.
On systems where Address Space Layout Randomization (ASLR) is disabled or poorly configured, the overflow may be exploitable to execute arbitrary code in the worker context.
The vulnerability affects NGINX JavaScript (njs) versions 0.9.4 through 0.9.8, with the fix introduced in njs 0.9.9.
The impacted component is the ngx_http_js_module module, which exposes NJS-based HTTP processing directives such as js_content and js_fetch_proxy.
A typical vulnerable pattern is a configuration in which js_fetch_proxy constructs a proxy URL using client‑supplied headers, for example, $http_x_user and $http_x_password, and js_content points to an NJS function (for example, main.fetcher) that calls ngx.fetch() with that URL.
In this setup, an attacker can manipulate those header values to corrupt heap memory in the NGINX worker and repeatedly crash it.
F5 stated in article K000161307 that the issue is limited to the data plane and does not affect the control plane.
Other F5 products and services, such as BIG‑IP, BIG‑IQ, BIG‑IP Next, F5OS, and F5 Distributed Cloud services, are reported as not vulnerable to CVE‑2026‑8711 in their evaluated versions.
Administrators running affected njs versions are strongly advised to upgrade to NGINX JavaScript 0.9.9 or later as the primary remediation.
Environments where the “Versions known to be vulnerable” column applies should move to a release listed in the “Fixes introduced in” column or later.
Where an immediate upgrade is not possible, operators should review configurations for js_fetch_proxy usage with client‑controlled variables and refactor or remove these patterns, and ensure that ASLR is enabled on all NGINX hosts to hinder code‑execution attempts.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
The post New NGINX Vulnerability Allow Remote Attackers to Trigger Malicious Code appeared first on Cyber Security News.
Christopher Nolan's The Odyssey won't be three hours long... but it will be pretty dang…
The Recertified Sonos Memorial Day Sale is now live and will run through Memorial Day,…
Warning: This article contains full spoilers for The Mandalorian and Grogu!The Mandalorian and Grogu has…
Hackers have been caught running a deceptive campaign that uses fake Microsoft Teams download websites…
A new wave of malware disguised as everyday productivity tools has been quietly spreading across…
A large-scale phishing campaign is actively targeting U.S. organizations, using fake event invitations as bait…
This website uses cookies.