CVE-2026-8711
NGINX · JavaScript (njs)
NGINX JavaScript is vulnerable when the js_fetch_proxy directive uses client-controlled variables, potentially leading to unauthorized proxy behavior or information disclosure.
Executive summary
A vulnerability in the NGINX JavaScript (njs) module allows for improper proxy configuration, posing a significant risk of unauthorized request routing or data exposure.
Vulnerability
The vulnerability exists within the js_fetch_proxy directive when configured with client-controlled NGINX variables (e.g., $http_*, $arg_*, $cookie_*). This flaw allows unauthenticated remote attackers to influence proxy behavior, potentially facilitating unauthorized access or SSRF-like conditions.
Business impact
Successful exploitation of this vulnerability could lead to the compromise of internal network resources or the exfiltration of sensitive data routed through the proxy. With a CVSS score of 8.1, this represents a High severity risk that could result in significant reputational damage and service disruption if the proxy infrastructure is successfully manipulated.
Remediation
Immediate Action: Review your nginx.conf files to identify instances where js_fetch_proxy utilizes client-controlled variables and restrict these configurations until a vendor patch is applied.
Proactive Monitoring: Monitor NGINX access and error logs for unusual request patterns, particularly those involving unexpected header modifications or proxy destination anomalies.
Compensating Controls: Implement strict input validation or use a Web Application Firewall (WAF) to sanitize incoming request parameters before they are processed by the NGINX JavaScript module.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Given the High severity score, administrators should prioritize auditing their NGINX configurations immediately to identify potentially vulnerable js_fetch_proxy implementations. Apply vendor-provided security patches as soon as they become available to eliminate the underlying risk.