A high-severity heap buffer overflow vulnerability in NGINX’s JavaScript (njs) module has been disclosed by F5, exposing web servers running affected configurations to denial-of-service attacks and under specific conditions full remote code execution (RCE).
Tracked as CVE-2026-8711 and documented in F5 security advisory K000161307, the flaw carries a CVSS v3.1 score of 8.1 (High) and a CVSS v4.0 score of 9.2 (Critical), making it one of the more serious NGINX vulnerabilities disclosed in recent months.
The flaw is classified as a heap-based buffer overflow (CWE-122) and resides specifically in the interaction between the js_fetch_proxy directive and client-controlled NGINX variables such as $http_*, $arg_*, or $cookie_*, when used inside a location block that invokes ngx.fetch() from NGINX JavaScript.
When an attacker sends a crafted HTTP request that manipulates these variables, the NGINX worker process experiences a heap buffer overflow, causing it to crash and restart, resulting in a denial-of-service (DoS) condition.
On systems where Address Space Layout Randomization (ASLR) is disabled, the same overflow can be weaponized for arbitrary code execution by unauthenticated remote attackers.
F5 clarifies that this is strictly a data-plane vulnerability with no impact on control-plane components.
Affected Versions
The vulnerability affects NGINX JavaScript (njs) versions 0.9.4 through 0.9.8, specifically via the ngx_http_js_module.
The issue is confined to the 0.x branch and does not impact other F5 products including BIG-IP, BIG-IQ, F5 Distributed Cloud services, F5OS, NGINX One Console, or NGINX core deployments that do not use this njs pattern.
| Component | Affected Versions | Fixed Version |
|---|---|---|
| NGINX JavaScript (njs) | 0.9.4 – 0.9.8 | 0.9.9 |
| NGINX Plus / OSS (njs module) | Internal ID: 160 | Update to njs 0.9.9 |
F5’s advisory highlights a representative vulnerable configuration where request headers like x-user and x-password are passed into js_fetch_proxy to construct a proxy URL dynamically.
When combined with js_content invoking a JavaScript function that calls ngx.fetch(), the server becomes exploitable via routine HTTP requests no authentication required.
Mitigation
F5 has confirmed there is no standalone workaround for this vulnerability. Organizations are strongly advised to take one of the following actions:
- Upgrade NGINX JavaScript to version 0.9.9 or later, which includes a direct fix for the heap buffer overflow in
js_fetch_proxy - Refactor configurations to eliminate client-controlled variables (
$http_*,$arg_*,$cookie_*) fromjs_fetch_proxyURLs in locations that callngx.fetch() - Review the evaluated product tables in advisory K000161307 to confirm whether your deployment is within the vulnerable pattern before planning production upgrades
Administrators operating in environments with ASLR disabled should treat this as a Critical priority given the elevated RCE risk. F5 recommends consulting its security hotfix and lifecycle guidance before executing upgrades in production.
No Comment! Be the first one.