NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (for example,...
Description
NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlled NGINX variable (for example, $http_*, $arg_*, $cookie_*) and a location invoking the ngx
AI Analyst Comment
Remediation
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
---METADATA---
VENDOR: NGINX
PRODUCT: JavaScript (njs)
AFFECTED_VERSIONS: See vendor advisory for specific affected versions
CONFIDENCE: medium
MISSING: patch, technical_details
---END_METADATA---
Description Summary:
NGINX JavaScript is vulnerable when the js_fetch_proxy directive uses client-controlled variables, potentially leading to unauthorized proxy behavior or information disclosure.
Executive Summary:
A vulnerability in the NGINX JavaScript (njs) module allows for improper proxy configuration, posing a significant risk of unauthorized request routing or data exposure.
Vulnerability Details
CVE-ID: CVE-2026-8711
Affected Software: NGINX JavaScript (njs)
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: The vulnerability exists within the
js_fetch_proxydirective when configured with client-controlled NGINX variables (e.g., $http_*, $arg_*, $cookie_*). This flaw allows unauthenticated remote attackers to influence proxy behavior, potentially facilitating unauthorized access or SSRF-like conditions.Business Impact
Successful exploitation of this vulnerability could lead to the compromise of internal network resources or the exfiltration of sensitive data routed through the proxy. With a CVSS score of 8.1, this represents a High severity risk that could result in significant reputational damage and service disruption if the proxy infrastructure is successfully manipulated.
Remediation Plan
Immediate Action: Review your
nginx.conffiles to identify instances wherejs_fetch_proxyutilizes client-controlled variables and restrict these configurations until a vendor patch is applied.Proactive Monitoring: Monitor NGINX access and error logs for unusual request patterns, particularly those involving unexpected header modifications or proxy destination anomalies.
Compensating Controls: Implement strict input validation or use a Web Application Firewall (WAF) to sanitize incoming request parameters before they are processed by the NGINX JavaScript module.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of May 20, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
Given the High severity score, administrators should prioritize auditing their NGINX configurations immediately to identify potentially vulnerable
js_fetch_proxyimplementations. Apply vendor-provided security patches as soon as they become available to eliminate the underlying risk.