Introduction
A heap buffer overflow in the NGINX JavaScript module allows unauthenticated remote attackers to crash NGINX worker processes, and potentially achieve code execution, by sending crafted HTTP requests to endpoints using the js_fetch_proxy directive with client controlled variables. With NGINX powering 32.4 percent of all websites with a known web server, even a vulnerability scoped to a specific module configuration warrants close attention from operations and security teams.
What makes this one notable is the scoring discrepancy: the NVD rates CVE-2026-8711 at CVSS 3.1 8.1 (High), while F5 themselves rate it at CVSS 4.0 9.2 (Critical). The vendor also states plainly that no workarounds exist; upgrading is the only path forward.
Technical Information
Root Cause
CVE-2026-8711 is a heap based buffer overflow (CWE-122) in the ngx_http_js_module component of NGINX JavaScript (njs). The flaw is strictly a data plane issue with no control plane exposure.
The vulnerability is triggered when two conditions are met simultaneously in the NGINX configuration:
- The
js_fetch_proxydirective is configured with at least one NGINX variable that a client can control, such as$http_*,$arg_*, or$cookie_*. - A location block invokes the
ngx.fetch()operation from JavaScript code.
When both conditions are present, client supplied data is expanded into the proxy URL construction path without adequate bounds checking. A crafted HTTP request can supply variable content that overflows the heap buffer allocated for the URL, corrupting adjacent memory in the NGINX worker process.
Vulnerable Configuration
F5 provided the following example of a vulnerable configuration in their advisory:
server { listen 127.0.0.1:8080; server_name localhost; location / { # Client controlled variable expansion into URL contents # Example below x-user and x-password headers are used to construct the proxy URL # main.fetcher is a JavaScript function defined in the js file that calls ngx.fetch with the constructed URL js_fetch_proxy http://$http_x_user:[email protected]:3128; js_content main.fetcher; } }
In this configuration, the $http_x_user and $http_x_password variables are derived directly from client supplied HTTP headers (X-User and X-Password). The attacker has full control over the content of these variables.
Attack Flow
- The attacker identifies an NGINX endpoint that uses
js_fetch_proxywith client controlled variables (e.g., custom headers, query parameters, or cookies). - The attacker crafts an HTTP request with oversized or specially structured values in the controlled headers (or other variable sources).
- The NGINX JavaScript module expands these values into the proxy URL during the
ngx.fetch()operation. - The expansion overflows the heap buffer allocated for the URL, corrupting adjacent heap memory.
- In the default case (ASLR enabled), this causes the NGINX worker process to crash and restart, resulting in denial of service.
- On systems where ASLR is disabled, the attacker can potentially control the overwritten heap metadata or adjacent objects to achieve arbitrary code execution.
The attack is unauthenticated and requires no special privileges, only the ability to send HTTP requests to the vulnerable endpoint.
Severity Scoring Discrepancy
The NVD assigns a CVSS 3.1 score of 8.1 (High), while F5 assigns a CVSS 4.0 score of 9.2 (Critical). Security teams should consider the vendor's assessment alongside the NVD score when prioritizing remediation, particularly given that F5 has the most detailed understanding of the affected code path.
Affected Systems and Versions
| Component | Vulnerable Versions | Fixed Version | Status |
|---|---|---|---|
| NGINX JavaScript (njs) | 0.9.4 through 0.9.8 | 0.9.9 | Immediate upgrade required |
| NGINX Open Source (core) | Not affected | N/A | No action needed |
| NGINX Plus | Not affected | N/A | No action needed |
| F5 Distributed Cloud | Not affected | N/A | No action needed |
| F5OS | Not affected | N/A | No action needed |
| F5 Silverline | Not affected | N/A | No action needed |
| NGINX One Console | Not affected | N/A | No action needed |
The vulnerable configuration requires both the js_fetch_proxy directive with client controlled NGINX variables and a location block invoking ngx.fetch(). Deployments that do not use this specific pattern in their njs configuration are not exploitable, even if running a vulnerable njs version.
Software versions that have reached End of Technical Support (EoTS) were not evaluated by the vendor.
Vendor Security History
F5 demonstrated a rapid response capability for this vulnerability, publishing the security advisory (K000161307) on May 19, 2026, the same day the CVE was published. The advisory was thorough in scope, clearly identifying affected and unaffected products, providing a vulnerable configuration example, and confirming that no workarounds exist. The vulnerability was discovered and reported by a researcher named udolemi from S2W through coordinated disclosure.



