Critical Heap Buffer Overflow Discovered in NGINX JavaScript (njs) Module

A high-severity security flaw has been identified within the NGINX JavaScript (njs) module, introducing a significant risk of service disruption and potential system compromise. The vulnerability allows remote, unauthenticated attackers to trigger a heap-based buffer overflow, which can result in a Denial-of-Service (DoS) via worker process crashes or, under specific architectural conditions, Remote Code Execution (RCE).

The flaw is officially tracked as CVE-2026-8711 and is classified under CWE-122 (Heap-based Buffer Overflow). F5 has released a detailed security advisory, K000161307, outlining the specific conditions required for exploitation.

Technical Deep Dive: The Mechanics of the Overflow

The vulnerability resides in the implementation of the js_fetch_proxy directive. The issue manifests when this directive is utilized to construct a proxy URL using variables that are directly influenced by client input. Specifically, when NGINX JavaScript uses ngx.fetch() in conjunction with variables such as $http_*, $arg_*, or $cookie_*, an attacker can supply oversized or specially crafted strings through HTTP headers, arguments, or cookies.

Because these client-controlled strings are expanded into the heap memory allocated for the proxy URL construction, a lack of strict bounds checking allows the input to overflow the allocated buffer. This memory corruption can destabilize the NGINX worker process, leading to a crash. In a production environment, an attacker could repeatedly trigger this flaw to keep the service offline.

The risk escalates significantly in environments where Address Space Layout Randomization (ASLR) is disabled or bypassed. In such scenarios, the heap overflow can be weaponized to overwrite adjacent memory structures, potentially granting the attacker the ability to execute arbitrary code with the privileges of the NGINX worker process.

Scope and Impact Assessment

F5 notes that this is strictly a data-plane issue; the control-plane components of NGINX remain unaffected. However, the impact on the data plane is substantial:

  • CVSS v3.1 Score: 8.1 (High)
  • CVSS v4.0 Score: 9.2 (Critical)
  • Affected Versions: NGINX JavaScript (njs) versions 0.9.4 through 0.9.8.

It is important to note that this vulnerability is specific to the ngx_http_js_module within the 0.x branch. Most other F5 and NGINX ecosystem products—including BIG-IP, BIG-IQ, F5 Distributed Cloud, F5OS, and NGINX One—are not vulnerable unless they specifically utilize the vulnerable njs configuration pattern described above.

Remediation and Mitigation Strategies

F5 has confirmed that there are no standalone configuration mitigations that fully neutralize the risk if the vulnerable code path is active. Therefore, the primary recommendation is an immediate upgrade to njs version 0.9.9 or later, which contains the formal fix for the js_fetch_proxy heap overflow.

For administrators who cannot immediately patch, the following architectural refactoring is advised:

  1. Sanitize Inputs: Avoid using raw, untrusted client variables (like headers or cookies) directly within the js_fetch_proxy directive.
  2. Refactor Logic: Redesign NGINX JavaScript logic to ensure that any URL construction involving ngx.fetch() uses validated, internal, or strictly bounded variables rather than direct expansions of $http_* or $arg_*.

Organizations should perform a thorough audit of their NGINX configurations to identify any usage of the js_fetch_proxy directive combined with client-side variables. Once identified, consult the F5 advisory to align with recommended security hotfix and lifecycle management procedures.

Related Articles

Back to top button