Critical

Heap-based Buffer Overflow in NGINX JavaScript js_fetch_proxy/ngx.fetch

CVE-2026-8711 CWE-122· Heap-based Buffer Overflow

CVE-2026-8711 is a heap-based buffer overflow in NGINX JavaScript (njs) affecting versions 0.9.4 through 0.9.8 in configurations using ngx_http_js_module. The issue occurs when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable, such as $http_, $arg_, or $cookie_*, and a location invokes the ngx.fetch() operation from NGINX JavaScript. An unauthenticated remote attacker can send crafted HTTP requests that manipulate those client-controlled values and trigger heap memory corruption in the NGINX worker process. The documented result is worker-process restart, and on systems with ASLR disabled, the memory corruption may be exploitable for code execution in the worker context.

Stay ahead

Get ahead of vulnerabilities like this

Mallory continuously monitors global threat intelligence and correlates it with your attack surface — so you know if you’re exposed before adversaries strike.

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. For analysts and engineers who need to decide and keep moving.

Impact

What an attacker gets — and what they’ve been doing with it.

Successful exploitation can crash the NGINX worker process, causing it to restart and creating a denial-of-service condition on the data plane. Repeated exploitation can sustain service instability or interruption. In environments where ASLR is disabled, the heap corruption may be leveraged for remote code execution within the NGINX worker process, with corresponding confidentiality, integrity, and availability impact in that process context. F5 states the issue is limited to the data plane and does not affect the control plane.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, identify and refactor or remove vulnerable js_fetch_proxy configurations that incorporate client-controlled variables such as $http_, $arg_, or $cookie_* into fetch proxy handling. Avoid passing untrusted request-derived values into js_fetch_proxy in locations that invoke ngx.fetch(). Ensure ASLR is enabled on NGINX hosts to reduce the likelihood of successful code execution from the heap overflow, although this does not eliminate the denial-of-service risk.

Remediation

Patch, then assume compromise.

Upgrade NGINX JavaScript (njs) to version 0.9.9 or later, which contains the fix for this vulnerability. Review all ngx_http_js_module deployments for use of js_fetch_proxy together with client-controlled NGINX variables and update affected configurations accordingly. Per the provided context, affected versions are njs 0.9.4 through 0.9.8.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView all

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

F5Nginx Javascriptapplication

NginxNgx Http Js Moduleapplication

Vendor-confirmed product mapping. Mallory continuously reconciles against your asset inventory in the product.

ACTIVITY FEED

Recent activity

15 sources tracked across advisories, community write-ups, and news. Mallory keeps watching after this page renders.

15 SOURCESView all

ca ccsNews

May 20, 2026

F5 security advisory (AV26-485) - Canadian Centre for Cyber Security

A critical vulnerability affecting NGINX JavaScript (njs), specifically versions 0.9.4 to 0.9.8, referenced by F5 as an ngx_http_js_module vulnerability.

cyber security newsNews

May 20, 2026

New NGINX Vulnerability Allow Remote Attackers to Trigger Malicious Code Execution

A heap-based buffer overflow in NGINX JavaScript (njs) related to js_fetch_proxy handling of client-controlled variables when used with ngx.fetch(), causing worker process crashes and potentially remote code execution under some conditions.

cvefeed high severityNews

May 19, 2026

CVE-2026-8711 - NGINX JavaScript vulnerability

A heap buffer overflow vulnerability in NGINX JavaScript involving js_fetch_proxy with client-controlled NGINX variables and ngx.fetch(); it can be triggered remotely by unauthenticated crafted HTTP requests and may lead to worker process restart or possible code execution when ASLR is disabled.

The operational view lives in Mallory

See the full picture, correlated to your attack surface.

This page covers what’s public. Mallory adds the parts that aren’t — which of your assets are affected, which threat actors are using it right now, which detections to deploy, and what to do next.

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules — auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity11

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

NVD

nvd.nist.gov/vuln/detail/CVE-2026-8711

my.f5.com

my.f5.com/manage/s/article/K000161307