ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-8711 Heap Buffer Overflow in NGINX JavaScript (njs) via js_fetch_proxy

A short review of CVE-2026-8711, a heap buffer overflow in the NGINX JavaScript module triggered through crafted HTTP requests when js_fetch_proxy uses client controlled variables. The flaw affects njs versions 0.9.4 through 0.9.8 and carries a CVSS 4.0 score of 9.2 from the vendor.

CVE Analysis

5 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-19

Brief Summary: CVE-2026-8711 Heap Buffer Overflow in NGINX JavaScript (njs) via js_fetch_proxy
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A heap buffer overflow in the NGINX JavaScript module allows unauthenticated remote attackers to crash NGINX worker processes, and potentially achieve code execution, by sending crafted HTTP requests to endpoints using the js_fetch_proxy directive with client controlled variables. With NGINX powering 32.4 percent of all websites with a known web server, even a vulnerability scoped to a specific module configuration warrants close attention from operations and security teams.

What makes this one notable is the scoring discrepancy: the NVD rates CVE-2026-8711 at CVSS 3.1 8.1 (High), while F5 themselves rate it at CVSS 4.0 9.2 (Critical). The vendor also states plainly that no workarounds exist; upgrading is the only path forward.

Technical Information

Root Cause

CVE-2026-8711 is a heap based buffer overflow (CWE-122) in the ngx_http_js_module component of NGINX JavaScript (njs). The flaw is strictly a data plane issue with no control plane exposure.

The vulnerability is triggered when two conditions are met simultaneously in the NGINX configuration:

  1. The js_fetch_proxy directive is configured with at least one NGINX variable that a client can control, such as $http_*, $arg_*, or $cookie_*.
  2. A location block invokes the ngx.fetch() operation from JavaScript code.

When both conditions are present, client supplied data is expanded into the proxy URL construction path without adequate bounds checking. A crafted HTTP request can supply variable content that overflows the heap buffer allocated for the URL, corrupting adjacent memory in the NGINX worker process.

Vulnerable Configuration

F5 provided the following example of a vulnerable configuration in their advisory:

server { listen 127.0.0.1:8080; server_name localhost; location / { # Client controlled variable expansion into URL contents # Example below x-user and x-password headers are used to construct the proxy URL # main.fetcher is a JavaScript function defined in the js file that calls ngx.fetch with the constructed URL js_fetch_proxy http://$http_x_user:[email protected]:3128; js_content main.fetcher; } }

In this configuration, the $http_x_user and $http_x_password variables are derived directly from client supplied HTTP headers (X-User and X-Password). The attacker has full control over the content of these variables.

Attack Flow

  1. The attacker identifies an NGINX endpoint that uses js_fetch_proxy with client controlled variables (e.g., custom headers, query parameters, or cookies).
  2. The attacker crafts an HTTP request with oversized or specially structured values in the controlled headers (or other variable sources).
  3. The NGINX JavaScript module expands these values into the proxy URL during the ngx.fetch() operation.
  4. The expansion overflows the heap buffer allocated for the URL, corrupting adjacent heap memory.
  5. In the default case (ASLR enabled), this causes the NGINX worker process to crash and restart, resulting in denial of service.
  6. On systems where ASLR is disabled, the attacker can potentially control the overwritten heap metadata or adjacent objects to achieve arbitrary code execution.

The attack is unauthenticated and requires no special privileges, only the ability to send HTTP requests to the vulnerable endpoint.

Severity Scoring Discrepancy

The NVD assigns a CVSS 3.1 score of 8.1 (High), while F5 assigns a CVSS 4.0 score of 9.2 (Critical). Security teams should consider the vendor's assessment alongside the NVD score when prioritizing remediation, particularly given that F5 has the most detailed understanding of the affected code path.

Affected Systems and Versions

ComponentVulnerable VersionsFixed VersionStatus
NGINX JavaScript (njs)0.9.4 through 0.9.80.9.9Immediate upgrade required
NGINX Open Source (core)Not affectedN/ANo action needed
NGINX PlusNot affectedN/ANo action needed
F5 Distributed CloudNot affectedN/ANo action needed
F5OSNot affectedN/ANo action needed
F5 SilverlineNot affectedN/ANo action needed
NGINX One ConsoleNot affectedN/ANo action needed

The vulnerable configuration requires both the js_fetch_proxy directive with client controlled NGINX variables and a location block invoking ngx.fetch(). Deployments that do not use this specific pattern in their njs configuration are not exploitable, even if running a vulnerable njs version.

Software versions that have reached End of Technical Support (EoTS) were not evaluated by the vendor.

Vendor Security History

F5 demonstrated a rapid response capability for this vulnerability, publishing the security advisory (K000161307) on May 19, 2026, the same day the CVE was published. The advisory was thorough in scope, clearly identifying affected and unaffected products, providing a vulnerable configuration example, and confirming that no workarounds exist. The vulnerability was discovered and reported by a researcher named udolemi from S2W through coordinated disclosure.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization