EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in the NGINX JavaScript module, specifically affecting versions 0.9.4 through 0.9.8. These vulnerabilities are primarily related to heap buffer overflows, which can be exploited by sending crafted HTTP requests. The implications of these vulnerabilities are severe, posing a high risk to modern web infrastructure that utilizes custom JavaScript logic at the proxy layer. If exploited, these vulnerabilities can lead to Denial of Service or Remote Code Execution attacks, resulting in significant business disruption and potential financial losses. CVE-2026-8711 with a CVSS score of 9.2 – This vulnerability occurs when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests, causing a heap buffer overflow in the NGINX worker process leading to a restart. The overall risk and urgency of these vulnerabilities are critical, with a potential for significant business disruption and financial losses. If exploited, these vulnerabilities can lead to permanent crashes, denial of service, and potentially remote code execution attacks, resulting in significant downtime and potential data breaches.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in the NGINX JavaScript module, specifically affecting versions 0.9.4 through 0.9.8. These vulnerabilities are primarily related to heap buffer overflows, which can be exploited by sending crafted HTTP requests. The implications of these vulnerabilities are severe, posing a high risk to modern web infrastructure that utilizes custom JavaScript logic at the proxy layer. If exploited, these vulnerabilities can lead to Denial of Service or Remote Code Execution attacks, resulting in significant business disruption and potential financial losses. CVE-2026-8711 with a CVSS score of 9.2 – This vulnerability occurs when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests, causing a heap buffer overflow in the NGINX worker process leading to a restart. The overall risk and urgency of these vulnerabilities are critical, with a potential for significant business disruption and financial losses. If exploited, these vulnerabilities can lead to permanent crashes, denial of service, and potentially remote code execution attacks, resulting in significant downtime and potential data breaches.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/nginx-javascript-njs-module-heap-overflow-vulnerability-cve-2026-8711/