Description
NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (for example, $http_*, $arg_*, $cookie_*) and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR.


Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Published: 2026-05-19
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NGINX JavaScript becomes vulnerable when the js_fetch_proxy directive is configured with one or more client‑controlled variables such as $http_*, $arg_*, or $cookie_* while a location uses the ngx.fetch() operation. An unauthenticated attacker can send crafted HTTP requests that trigger a heap buffer overflow in the worker process, potentially causing a restart. If Address Space Layout Randomization is disabled or can be bypassed, the same flaw can also lead to arbitrary code execution.

Affected Systems

The vulnerability impacts the NGINX JavaScript engine supplied by F5. No specific affected product versions are listed in the available data, so any installation using the js_fetch_proxy directive with client‑controlled variables is potentially at risk.

Risk and Exploitability

The CVSS score of 9.2 indicates a high severity. Attackers can reach the flaw from outside the system by sending crafted HTTP requests, making it a remote unauthenticated vulnerability. The EPSS score of approximately 0.18% indicates a very low exploitation probability. The flaw is not listed in CISA’s KEV catalog, but the lack of mitigations such as ASLR greatly increases the exploit likelihood. Given the potential for immediate denial of service and conditional code execution, the risk remains high.

Generated by OpenCVE AI on May 21, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the NGINX JavaScript engine to the latest version recommended by F5
  • If an update is not available, edit or remove any js_fetch_proxy directives that include client‑controlled variables, or disable the directive entirely
  • Enable Address Space Layout Randomization on the host to reduce the chance of achieving code execution

Generated by OpenCVE AI on May 21, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared F5 njs
CPEs cpe:2.3:a:f5:njs:*:*:*:*:*:*:*:*
Vendors & Products F5 njs

Thu, 21 May 2026 19:15:00 +0000

Type Values Removed Values Added
Description NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (for example, $http_*, $arg_*, $cookie_*) and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR) disabled, code execution is possible. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (for example, $http_*, $arg_*, $cookie_*) and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared F5
F5 nginx Javascript
Vendors & Products F5
F5 nginx Javascript

Tue, 19 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 19 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (for example, $http_*, $arg_*, $cookie_*) and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR) disabled, code execution is possible. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title NGINX JavaScript vulnerability
Weaknesses CWE-122
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

F5 Nginx Javascript Njs
cve-icon MITRE

Status: PUBLISHED

Assigner: f5

Published:

Updated: 2026-05-21T18:29:16.674Z

Reserved: 2026-05-15T20:10:29.764Z

Link: CVE-2026-8711

cve-icon Vulnrichment

Updated: 2026-05-19T14:41:13.238Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-19T15:16:33.017

Modified: 2026-06-04T13:29:57.397

Link: CVE-2026-8711

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T21:00:16Z

Weaknesses