External risk intelligence

NGINX JavaScript vulnerability could let attackers take control or crash systems

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-8711

A critical flaw in NGINX JavaScript allows unauthenticated attackers to crash or potentially take control of internet-facing servers through crafted requests, impacting service availability and data security.

5Halo Surface Signal

Buffer Overflow

F5 Njs

0.9.4 to before 0.9.9

External exposure likelihood

Halo Surface Signal score for CVE-2026-8711

NGINX operates primarily as an internet-facing web server, reverse proxy, and API gateway. The js_fetch_proxy and ngx.fetch functionality are utilized in request handling, making servers with this configuration standard examples of public-facing edge infrastructure explicitly designed to process external HTTP traffic.

PCI scan relevance

PCI Relevance for CVE-2026-8711

Yes

CVE-2026-8711 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

A heap buffer overflow in NGINX JavaScript can lead to remote code execution if ASLR is disabled. This vulnerability could impact systems processing sensitive cardholder data.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in NGINX JavaScript can allow an unauthenticated attacker to cause a heap buffer overflow by sending crafted HTTP requests. If successful, this could lead to the NGINX worker process restarting, potentially allowing attackers to execute code under certain conditions.

  • Affects internet-facing NGINX servers.
  • Could lead to service disruption.
  • May allow code execution.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this flaw by sending crafted HTTP requests to an NGINX server configured with a vulnerable JavaScript module. This could trigger a heap buffer overflow, potentially leading to a server restart or, under specific conditions like disabled ASLR, code execution.

  • Exploitable via crafted HTTP requests.
  • Requires specific NGINX JavaScript configuration.
  • Heap overflow can lead to restart or code execution.

Live Threat

Current exploitation, exposure, and threat context

The described NGINX vulnerability presents a concerning threat due to its potential for unauthenticated remote exploitation. The ability to cause a heap buffer overflow and potentially achieve code execution, especially in environments with ASLR disabled, makes it an attractive target for attackers aiming for system compromise. While the exploit requires specific configuration and bypassing ASLR can be challenging, the impact of a successful attack is severe.

  • Exploitation requires specific configuration.
  • Public exploit code is not yet observed.
  • Heap overflow leading to code execution.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize reviewing NGINX configurations for the `js_fetch_proxy` directive used with client-controlled variables and `ngx.fetch()`. If found, investigate potential heap buffer overflows and code execution risks, especially on systems with ASLR disabled. Actively monitor network traffic for exploit attempts targeting this vulnerability.

  • Block malicious traffic patterns.
  • Isolate or take affected services offline.
  • Monitor for exploit indicators.

Frequently asked questions

What is NGINX JavaScript and its primary use cases?

NGINX JavaScript is a module for the NGINX web server that allows developers to implement custom logic using JavaScript. It is commonly employed to enhance NGINX's functionalities for tasks such as managing request routing, handling authentication, and generating dynamic content, thereby increasing the flexibility and programmability of the web server.

How does CVE-2026-8711 manifest as a heap buffer overflow weakness?

CVE-2026-8711 is identified as a heap buffer overflow vulnerability. This occurs when a program writes more data into a buffer located on the heap than it is designed to hold. The vulnerability is triggered by a specially crafted HTTP request processed by a misconfigured NGINX JavaScript module.

What specific configuration in NGINX JavaScript enables this heap buffer overflow?

The vulnerability arises when the `js_fetch_proxy` directive is configured with at least one client-controlled NGINX variable, such as `$http_*`, `$arg_*`, or `$cookie_*`, in conjunction with a location that invokes the `ngx.fetch()` operation from NGINX JavaScript.

What is the potential impact of exploiting CVE-2026-8711?

Exploitation of this vulnerability can lead to a heap buffer overflow within the NGINX worker process, potentially causing a restart of the process. In environments where Address Space Layout Randomization (ASLR) is disabled, or if an attacker can bypass ASLR, this could enable attackers to execute arbitrary code on the affected systems. The Halo Surface Signal indicates a 'Very likely' threat due to NGINX's role as an internet-facing web server processing external HTTP traffic.

What steps should be taken to respond to this NGINX JavaScript vulnerability?

It is recommended to review NGINX configurations for the presence of the `js_fetch_proxy` directive used with client-controlled variables and `ngx.fetch()`. If identified, assess the risks of heap buffer overflows and potential code execution, particularly on systems without ASLR enabled. Continuous monitoring of network traffic for indicators of exploit attempts is also advised.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified