Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (for example, $http_*, $arg_*, $cookie_*) and a location invoking the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR) disabled, code execution is possible.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
AnalysisAI
Heap buffer overflow in F5 NGINX JavaScript (njs) module versions 0.9.4 through 0.9.8 allows unauthenticated remote attackers to crash NGINX worker processes, with potential remote code execution on hosts where ASLR is disabled. Exploitation requires the deployment to use the js_fetch_proxy directive with at least one client-controlled NGINX variable (such as $http_*, $arg_*, or $cookie_*) and a location that invokes ngx.fetch(). No public exploit identified at time of analysis, but a vendor patch is available and the CVSS 4.0 base score of 9.2 reflects the high impact across confidentiality, integrity, and availability.
Technical ContextAI
NGINX JavaScript (njs) is F5's scripting engine that embeds JavaScript into the NGINX configuration, allowing administrators to write request-handling logic and outbound subrequests via the ngx.fetch() API. The js_fetch_proxy directive configures an upstream proxy URL used for those subrequests; when its value interpolates a client-controlled NGINX variable, the parser appears to mishandle attacker-supplied content during proxy URL construction. The root cause is classified as CWE-122 (heap-based buffer overflow), meaning attacker bytes overrun an allocation on the heap inside the NGINX worker process. The affected CPE is cpe:2.3:a:f5:nginx_javascript across the version range 0.9.4 up to (but not including) 0.9.9.
RemediationAI
Upgrade the NGINX JavaScript module to version 0.9.9 or later, which is the first release outside the affected 0.9.4-0.9.8 range per F5 advisory K000161307 (https://my.f5.com/manage/s/article/K000161307). If immediate patching is not possible, the most direct compensating control is to remove client-controlled NGINX variables ($http_*, $arg_*, $cookie_*) from any js_fetch_proxy directive value and instead use static or server-controlled values, which eliminates the attack surface but reduces flexibility for dynamic upstream selection. Alternatively, temporarily disable the affected location blocks that call ngx.fetch() under a js_fetch_proxy with dynamic variables - this breaks the affected proxy functionality but stops the attack path. Ensure ASLR remains enabled on the host (the Linux default), which downgrades a successful exploit from code execution to a worker restart while a patch is being rolled out.
The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cau
A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescap
An issue was discovered on GL.iNet devices before version 4.5.0. Rated critical severity (CVSS 9.8), this vulnerability
Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range fi
The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated critical severity (CVSS 9.8
The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker
Same weakness CWE-122 – Heap-based Buffer Overflow
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30940
GHSA-pj32-6rxc-gcmq