CVE-2026-8711 - Vulnerability Details

- NGINX JavaScript vulnerability

Description

NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (for example, $http_*, $arg_*, $cookie_*) and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR) disabled, code execution is possible.

Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Published: 2026-05-19

Score: 9.2 Critical

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

NGINX JavaScript becomes vulnerable when the js_fetch_proxy directive is configured with any client‑controlled variable such as $http_*, $arg_*, or $cookie_* while a location uses the ngx.fetch() operation. This induces a heap buffer overflow in the worker process, which can trigger a restart. For deployments with Address Space Layout Randomization disabled, the same flaw can lead to arbitrary code execution.

Affected Systems

The vulnerability impacts the NGINX JavaScript engine supplied by F5. No specific affected product versions are listed in the available data, so any installation using the js_fetch_proxy directive with client‑controlled variables is potentially at risk.

Risk and Exploitability

The CVSS score of 9.2 indicates a high severity. Attackers can reach the flaw from outside the system by sending crafted HTTP requests, making it a remote unauthenticated vulnerability. The EPSS score is not available and the flaw is not listed in CISA’s KEV catalog, but the lack of mitigations such as ASLR greatly increases the exploit likelihood. Given the potential for immediate denial of service and conditional code execution, the risk remains high.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

NGINX JavaScript

unknown

Version	Status	Constraints
`0.9.4`	affected	< 0.9.9

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the NGINX JavaScript engine to the latest version recommended by F5
If an update is not available, edit or remove any js_fetch_proxy directives that include client‑controlled variables, or disable the directive entirely
Enable Address Space Layout Randomization on the host to reduce the chance of achieving code execution

Generated by OpenCVE AI on May 19, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://my.f5.com/manage/s/article/K000161307

History

Tue, 19 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 19 May 2026 14:30:00 +0000

Type	Values Removed	Values Added
Description		NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (for example, $http_, $arg_, $cookie_*) and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR) disabled, code execution is possible. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Title		NGINX JavaScript vulnerability
Weaknesses		CWE-122
References		https://my.f5.com/manage/s/article/K000161307
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}` cvssV4_0 `{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: f5

Published: 2026-05-19T14:04:18.860Z

Updated: 2026-05-19T14:41:17.101Z

Reserved: 2026-05-15T20:10:29.764Z

Link: CVE-2026-8711

Vulnrichment

Updated: 2026-05-19T14:41:13.238Z

NVD

Status : Received

Published: 2026-05-19T15:16:33.017

Modified: 2026-05-19T15:16:33.017

Link: CVE-2026-8711

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-19T15:30:08Z

Weaknesses

CWE-122

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object