{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/nginx-javascript/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-8711"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["NGINX JavaScript"],"_cs_severities":["high"],"_cs_tags":["cve","heap-buffer-overflow","nginx"],"_cs_type":"advisory","_cs_vendors":["NGINX"],"content_html":"\u003cp\u003eNGINX JavaScript is susceptible to a heap buffer overflow vulnerability (CVE-2026-8711). The vulnerability occurs when the \u003ccode\u003ejs_fetch_proxy\u003c/code\u003e directive is configured with at least one client-controlled NGINX variable (e.g., \u003ccode\u003e$http_*\u003c/code\u003e, \u003ccode\u003e$arg_*\u003c/code\u003e, \u003ccode\u003e$cookie_*\u003c/code\u003e) and a location invoking the \u003ccode\u003engx.fetch()\u003c/code\u003e operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests to the affected NGINX server. Successful exploitation may lead to a heap buffer overflow in the NGINX worker process, resulting in a restart of the process. Furthermore, on systems where Address Space Layout Randomization (ASLR) is disabled, this vulnerability could potentially lead to arbitrary code execution.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious HTTP request containing specially crafted data within headers, arguments, or cookies.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted HTTP request to the targeted NGINX server.\u003c/li\u003e\n\u003cli\u003eNGINX receives the request and processes it according to the server configuration.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ejs_fetch_proxy\u003c/code\u003e directive is triggered due to the request matching a configured location.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003engx.fetch()\u003c/code\u003e operation is invoked from the NGINX JavaScript code within the triggered location.\u003c/li\u003e\n\u003cli\u003eThe JavaScript code utilizes a client-controlled NGINX variable (e.g., \u003ccode\u003e$http_*\u003c/code\u003e, \u003ccode\u003e$arg_*\u003c/code\u003e, \u003ccode\u003e$cookie_*\u003c/code\u003e) as part of the \u003ccode\u003engx.fetch()\u003c/code\u003e operation\u0026rsquo;s configuration or parameters.\u003c/li\u003e\n\u003cli\u003eDue to insufficient input validation or sanitization, the crafted data from the client-controlled variable causes a heap buffer overflow during the processing of the \u003ccode\u003engx.fetch()\u003c/code\u003e operation.\u003c/li\u003e\n\u003cli\u003eThe heap buffer overflow corrupts memory within the NGINX worker process, leading to a process restart, or, with ASLR disabled, potentially code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to a denial-of-service condition due to the NGINX worker process restarting. On systems with ASLR disabled, successful exploitation can lead to arbitrary code execution, potentially allowing the attacker to gain full control of the affected system. The scope of impact depends on the specific configuration of NGINX and the JavaScript code used.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the necessary patch or upgrade to the latest version of NGINX JavaScript to remediate CVE-2026-8711.\u003c/li\u003e\n\u003cli\u003eReview NGINX configurations to identify instances where the \u003ccode\u003ejs_fetch_proxy\u003c/code\u003e directive is used with client-controlled variables and \u003ccode\u003engx.fetch()\u003c/code\u003e. Implement robust input validation and sanitization to mitigate potential buffer overflows.\u003c/li\u003e\n\u003cli\u003eEnable Address Space Layout Randomization (ASLR) on systems running NGINX to mitigate the risk of code execution in the event of a successful buffer overflow.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to detect exploitation attempts targeting CVE-2026-8711.\u003c/li\u003e\n\u003cli\u003eMonitor NGINX logs for unusual HTTP requests containing potentially malicious payloads in headers, arguments, or cookies that are being used with the vulnerable directive (see example requests in positive tests below).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T15:19:40Z","date_published":"2026-05-19T15:19:40Z","id":"https://feed.craftedsignal.io/briefs/2026-05-nginx-js-heap-overflow/","summary":"NGINX JavaScript is vulnerable to a heap buffer overflow (CVE-2026-8711) when the js_fetch_proxy directive is configured with client-controlled variables and ngx.fetch(), allowing unauthenticated attackers to cause worker process restarts or, with ASLR disabled, code execution via crafted HTTP requests.","title":"NGINX JavaScript Heap Buffer Overflow Vulnerability (CVE-2026-8711)","url":"https://feed.craftedsignal.io/briefs/2026-05-nginx-js-heap-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — NGINX JavaScript","version":"https://jsonfeed.org/version/1.1"}