NGINX JavaScript Heap Buffer Overflow Vulnerability Allowing Denial-of-Service and Potential Code Execution

A heap buffer overflow vulnerability has been identified in NGINX JavaScript (njs) versions 0.9.4 through 0.9.8, within the ngx_http_js_module. The vulnerability arises when the js_fetch_proxy directive is set with at least one client-controlled NGINX variable, such as $http_*, $arg_*, or $cookie_*, and a location that calls the ngx.fetch() operation from NGINX JavaScript. An unauthenticated attacker can exploit this by sending crafted HTTP requests, causing a heap buffer overflow in the NGINX worker process, which leads to a restart. Furthermore, on systems with Address Space Layout Randomization (ASLR) disabled, this vulnerability could be exploited for code execution.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by crashing the NGINX worker process, which is then restarted. Additionally, on systems with ASLR disabled, the vulnerability could be exploited to execute arbitrary code.

Remediation

Users can upgrade to NGINX JavaScript version 0.9.9 to address this vulnerability.