CVE-2026-8711 | THREATINT

Description

NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (for example, $http_*, $arg_*, $cookie_*) and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR) disabled, code execution is possible. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

PUBLISHED Reserved 2026-05-15 | Published 2026-05-19 | Updated 2026-05-20 | Assigner f5

HIGH: 8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CRITICAL: 9.2CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-122 Heap-based Buffer Overflow

Product status

Default status

unknown

0.9.4 (custom) before 0.9.9

affected

Credits

"F5 acknowledges udolemi (S2W) for bringing this issue to our attention and following the highest standards of coordinated disclosure." reporter

References

my.f5.com/manage/s/article/K000161307 vendor-advisory

cve.org (CVE-2026-8711)

nvd.nist.gov (CVE-2026-8711)

Download JSON