SecurityHorrors

Stories you never want to feel on your own skin

nginx njs vulnerability cve heap-overflow rce dos

NGINX njs: One Overflow to Crash Them All

Andras Bacsai's avatar
Andras Bacsai Wednesday, May 20, 2026
NGINX njs: One Overflow to Crash Them All

Source:

tldr: CVE-2026-8711 is a heap buffer overflow in NGINX JavaScript (njs) via ngx_http_js_module. It can crash workers and cause denial of service, and in some conditions may allow remote code execution. Similar in nature to the earlier CVE-2026-42945 (NGINX Rift). Fixed in njs 0.9.9.

Affected versions

ComponentAffectedUpgrade to
NGINX JavaScript (njs)0.9.40.9.80.9.9

What to do

  • Upgrade NGINX JavaScript (njs) to 0.9.9.
  • Review the F5 advisory for environment-specific guidance.
  • If you run ngx_http_js_module in production, audit your configuration and monitor worker stability after upgrading.

Andras Bacsai's avatar
Andras Bacsai

Founder of coollabs.io | coolify.io | jean.build | serverlesshorrors.com | securityhorrors.com | llmhorrors.com | fonts.coollabs.io | ❤️ OSS & simplicity | 2 x dad, Entrepreneur.


Follow on Twitter

Suggest changes on GitHub