CVE-2026-8711

EUVD-2026-30940
NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (for example, $http_*, $arg_*, $cookie_*) and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, attackers can execute code on systems with Address Space Layout Randomization (ASLR) disabled or when the attacker can bypass ASLR. 


Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.1 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 54%
Affected Products (NVD)
VendorProductVersion
f5njs
0.9.4 ≤
𝑥
< 0.9.9
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libnginx-mod-js
bookworm
0.7.9-2
fixed
forky
1.0.0-1
fixed
sid
1.0.0-1
fixed
trixie
0.8.9-1
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
nginx
Azure Linux 3.0
0:1.28.3-3.azl3
fixed