CVE-2026-8711

Name of the Vulnerable Software and Affected Versions NGINX JavaScript (affected versions not specified)

Description A heap buffer overflow occurs when the js fetch proxy directive is configured with at least one client-controlled NGINX variable (such as $http *, $arg *, or $cookie *) and a location invokes the ngx.fetch() operation. An unauthenticated remote attacker can exploit this by sending crafted HTTP requests, which may cause the NGINX worker process to restart. Furthermore, this can lead to arbitrary code execution on systems where Address Space Layout Randomization (ASLR)—a security technique that randomly arranges the address space positions of key data areas of a process—is disabled or bypassed.

Recommendations Review js fetch proxy configurations and avoid passing untrusted variables to the directive. At the moment, there is no information about a newer version that contains a fix for this vulnerability.