New NGINX JavaScript Vulnerability Can Crash Servers and May Allow Code Execution
6 min. read 
Published on
A newly disclosed NGINX JavaScript vulnerability can let unauthenticated remote attackers crash affected NGINX worker processes and, in specific conditions, execute code. The flaw is tracked as CVE-2026-8711 and affects NGINX JavaScript, also known as njs.
The issue does not affect every NGINX installation. It applies to deployments using vulnerable njs versions with a risky configuration involving the js_fetch_proxy directive and ngx.fetch().
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
F5 and NGINX have released a fix in njs 0.9.9. Administrators running njs versions from 0.9.4 through 0.9.8 should review their configurations and update as soon as possible.
What CVE-2026-8711 affects
CVE-2026-8711 is a heap-based buffer overflow in the NGINX JavaScript module. The bug can be triggered when js_fetch_proxy uses client-controlled NGINX variables and the configured JavaScript handler calls ngx.fetch().
Client-controlled variables can include request headers, query arguments, and cookies. In a vulnerable setup, an attacker can send crafted HTTP requests that corrupt memory inside the NGINX worker process.
The most likely result is a worker restart, which can disrupt service. On systems without proper Address Space Layout Randomization protection, or where attackers can bypass it, the flaw may also lead to code execution in the worker process.
NGINX vulnerability details
| Item | Details |
|---|---|
| CVE | CVE-2026-8711 |
| Affected component | NGINX JavaScript njs, ngx_http_js_module |
| Vulnerable versions | njs 0.9.4 through 0.9.8 |
| Fixed version | njs 0.9.9 |
| Weakness type | CWE-122, heap-based buffer overflow |
| Authentication required | No |
| Main impact | Denial of service through NGINX worker process restart |
| Possible expanded impact | Code execution if ASLR is disabled or bypassed |
How the attack works
The vulnerable condition appears when js_fetch_proxy builds its proxy value from variables derived from the client request. Examples include $http_*, $arg_*, and $cookie_* values.
If a location then invokes an njs handler that calls ngx.fetch(), malicious input in those request-controlled fields can trigger the overflow. The attack can be launched through crafted HTTP requests and does not require authentication.
This makes the flaw important for public-facing NGINX servers that use njs for request handling, dynamic routing, authentication flows, or API logic.
Why the risk depends on configuration
Many NGINX deployments do not use NGINX JavaScript at all. Others may use njs but not the specific js_fetch_proxy and ngx.fetch() pattern required to trigger the vulnerability.
That makes configuration review essential. Security teams should not assume a server is vulnerable only because it runs NGINX. They need to check whether njs is installed, which version is running, and whether js_fetch_proxy uses request-controlled variables.
The vulnerable pattern is especially risky when headers, cookies, or query parameters help build an upstream fetch proxy target.
What administrators should check
- Check whether NGINX JavaScript njs is installed.
- Confirm the deployed njs version.
- Look for njs versions 0.9.4 through 0.9.8.
- Search NGINX configuration files for js_fetch_proxy.
- Review whether js_fetch_proxy uses $http_*, $arg_*, or $cookie_* variables.
- Check whether affected locations call ngx.fetch().
- Confirm ASLR is enabled on NGINX hosts.
The fix is available in njs 0.9.9
NGINX released njs 0.9.9 on May 19, 2026, with a security fix for CVE-2026-8711. The changelog says the bug was introduced in njs 0.9.4.
Upgrading to njs 0.9.9 or later is the primary remediation. Organizations that receive NGINX through a Linux distribution, container image, appliance, or managed platform should check their vendor’s update channel.
Some environments may need to wait for downstream packages or container images. In those cases, administrators should remove risky js_fetch_proxy patterns until an update is available.
Recommended mitigation steps
| Priority | Action | Reason |
|---|---|---|
| High | Upgrade to njs 0.9.9 or later | This version includes the security fix. |
| High | Remove client-controlled variables from js_fetch_proxy | This reduces exposure to the vulnerable code path. |
| Medium | Audit locations using ngx.fetch() | The vulnerability requires a JavaScript handler that invokes ngx.fetch(). |
| Medium | Confirm ASLR is enabled | ASLR makes code execution harder if memory corruption occurs. |
| Medium | Monitor worker restarts | Repeated crashes may indicate attempted exploitation or unsafe input. |
F5 says other evaluated products are not affected
F5’s advisory focuses on NGINX JavaScript. Other F5 product lines, including BIG-IP, BIG-IQ, BIG-IP Next, F5OS, and F5 Distributed Cloud services, were listed as not vulnerable in evaluated versions.
That distinction matters because the vulnerability is tied to njs behavior, not the broader NGINX name alone. Organizations should still verify their exact products, versions, and deployment model.
Managed services and third-party platforms may also ship their own NGINX builds. Security teams should check vendor notices instead of relying only on local package names.
Why this NGINX flaw matters
NGINX often sits at the edge of web applications, APIs, and internal services. A worker crash can reduce availability, and repeated crashes can create a denial-of-service condition during peak traffic.
The possible code execution angle raises the stakes for poorly hardened systems. Even though the attack complexity is higher when ASLR is active, public-facing infrastructure should not depend on memory protection alone.
The safer path is to patch njs, remove risky configuration patterns, and check logs for abnormal worker exits after suspicious requests.
Summary
- CVE-2026-8711 affects NGINX JavaScript njs, not all NGINX servers.
- The vulnerable condition involves js_fetch_proxy, client-controlled variables, and ngx.fetch().
- Attackers can send crafted HTTP requests without authentication.
- The main impact is a heap buffer overflow that can restart NGINX worker processes.
- Code execution may be possible if ASLR is disabled or bypassed.
- Administrators should upgrade to njs 0.9.9 or later.
FAQ
CVE-2026-8711 is a heap-based buffer overflow vulnerability in NGINX JavaScript njs. It can be triggered when js_fetch_proxy uses client-controlled variables and a JavaScript handler calls ngx.fetch().
No. The flaw affects NGINX deployments that use vulnerable NGINX JavaScript njs versions and the specific js_fetch_proxy and ngx.fetch() configuration pattern. Servers that do not use njs or that do not use the vulnerable pattern are not exposed to this issue in the same way.
The vulnerability affects njs versions 0.9.4 through 0.9.8. NGINX fixed the issue in njs 0.9.9.
Yes. An unauthenticated remote attacker can send crafted HTTP requests to a vulnerable configuration. The most direct impact is a worker process crash, while code execution depends on ASLR being disabled or bypassed.
Administrators should upgrade to njs 0.9.9 or later. If they cannot update immediately, they should review js_fetch_proxy usage, remove client-controlled variables from affected configurations, audit ngx.fetch() handlers, and confirm ASLR is enabled.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages