New NGINX Vulnerability Allows Unauthenticated RCE
Original: New NGINX Vulnerability Allows Unauthenticated RCE
Why This Matters
Critical web server vulnerability affects widely-used NGINX infrastructure
CVE-2026-8711 vulnerability in NGINX JavaScript allows remote attackers to trigger heap buffer overflow leading to denial-of-service and potential code execution. Affects njs versions 0.9.4-0.9.8, fixed in 0.9.9.
A critical vulnerability CVE-2026-8711 in NGINX JavaScript (njs) enables unauthenticated remote attackers to trigger heap-based buffer overflow through the js_fetch_proxy directive. The flaw occurs when js_fetch_proxy uses client-controlled NGINX variables combined with ngx.fetch() operations. Attackers can send crafted HTTP requests causing worker process crashes and DoS conditions. On systems with disabled ASLR, the vulnerability may allow arbitrary code execution. The issue affects njs versions 0.9.4 through 0.9.8, with fixes available in version 0.9.9. F5 confirms other products like BIG-IP are not affected. Administrators should upgrade immediately or review configurations to remove vulnerable patterns.