PT-2026-41939 · Nginx+1 · Nginx Javascript+1

Published

2026-05-19

·

Updated

2026-06-29

·

CVE-2026-8711

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions NGINX JavaScript (affected versions not specified)
Description An issue exists when the 'js fetch proxy' directive is configured with at least one client-controlled NGINX variable, such as $http *, $arg *, or $cookie *, and a location invokes the ngx.fetch() function. An unauthenticated remote attacker can exploit this by sending crafted HTTP requests, triggering a heap buffer overflow in the NGINX worker process. This can lead to a process restart or potential remote code execution on systems where Address Space Layout Randomization (ASLR)—a security technique that randomly arranges the address space positions of key data areas of a process—is disabled or bypassed.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. Review 'js fetch proxy' configurations and avoid passing untrusted variables to the directive. As a temporary mitigation, restrict the use of the ngx.fetch() function in locations where client-controlled variables are used in the 'js fetch proxy' configuration.

RCE

DoS

Heap Based Buffer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-8711
USN-8425-1

Affected Products

Nginx Javascript
Red Os