New NGINX Vulnerability Allows Remote Attackers to Trigger Malicious Code

Discover more Threat detection software Security audit services DDoS protection HomeCyber Security News New NGINX Vulnerability Allows Remote Attackers to Trigger Malicious Code By Abinaya May 20, 2026 A new vulnerability in NGINX JavaScript (njs), tracked as CVE‑2026‑8711, allows unauthenticated remote attackers to trigger a heap‑based buffer overflow that can lead to denial‑of‑service and, in some conditions, remote code execution in the NGINX worker process. The flaw is tied to how the js_fetch_proxy directive handles client‑controlled variables when combined with the ngx.fetch() operation from NGINX JavaScript. The issue arises in the ngx_http_js_module module when js_fetch_proxy is configured with at least one client‑controlled NGINX variable such as , , or . If a location then invokes an NJS function that calls ngx.fetch(), an attacker can send crafted HTTP requests that result in a heap buffer overflow in the NGINX worker process. NGINX Buffer Overflow Vulnerability The vulnerability is classified as CWE‑122: Heap‑based Buffer Overflow and is tracked internally by F5 as ID 160 for NGINX Plus and NGINX OSS. This defect primarily causes worker process crashes and automatic restarts, effectively producing a denial‑of‑service (DoS) condition on the NGINX data plane. On systems where Address Space Layout Randomization (ASLR) is disabled or poorly configured, the overflow may be exploitable to execute arbitrary code in the worker context. The vulnerability affects NGINX JavaScript (njs) versions 0.9.4 through 0.9.8, with the fix introduced in njs 0.9.9. The impacted component is the ngx_http_js_module module, which exposes NJS-based HTTP processing directives such as js_content and js_fetch_proxy. A typical vulnerable pattern is a configuration in which js_fetch_proxy constructs a proxy URL using client‑supplied headers, for example, \$http_x_user and \$http_x_password, and js_content points to an NJS function (for example, main.fetcher) that calls ngx.fetch() with that URL. In this setup, an attacker can manipulate those header values to corrupt heap memory in the NGINX worker and repeatedly crash it. F5 stated in article K000161307 that the issue is limited to the data plane and does not affect the control plane. Other F5 products and services, such as BIG‑IP, BIG‑IQ, BIG‑IP Next, F5OS, and F5 Distributed Cloud services, are reported as not vulnerable to CVE‑2026‑8711 in their evaluated versions. Administrators running affected njs versions are strongly advised to upgrade to NGINX JavaScript 0.9.9 or later as the primary remediation. Environments where the “Versions known to be vulnerable” column applies should move to a release listed in the “Fixes introduced in” column or later. Where an immediate upgrade is not possible, operators should review configurations for js_fetch_proxy usage with client‑controlled variables and refactor or remove these patterns, and ensure that ASLR is enabled on all NGINX hosts to hinder code‑execution attempts. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Langflow CVE-2026-33017 Exploited to Steal AWS Keys and Deploy NATS Worker 1 Million WordPress Sites Affected by Avada Builder File Read and SQL Injection Flaws Dell Support assist Updates Forces Windows Systems to BSOD Loop GitHub Source Code Breach – TeamPCP Claims Access to Internal Source Code Critical n8n Vulnerabilities Expose Automation Nodes to Full RCE Latest News Cyber Security News Hackers Abuse MSHTA Legacy Windows Tool to Deliver LummaStealer and Amatera Malware Cyber Security News GraphWorm Malware Uses Microsoft OneDrive as Command-and-Control Infrastructure Cyber Security News Microsoft Releases Mitigation for Windows BitLocker Security Bypass 0-Day Vulnerability Cyber Security News Fox Tempest Malware-Signing Service Abused Microsoft Artifact Signing to Certify Malware Cyber Attack News GitHub Hacked – Internal Source Code Repositories Compromised via Employee Device