<?xml version="1.0"?>
<!DOCTYPE article SYSTEM "../../../../dtd/article.dtd">
<article name="Security"
link="/en/docs/njs/security.html"
lang="en"
rev="4"
toc="no">
<section>
<para>
All nginx security issues should be reported to
<link url="mailto:[email protected]">[email protected]</link>
or via one of the methods listed
<link url="https://github.com/nginx/njs/blob/master/SECURITY.md">here</link>.
</para>
<para>
Patches are signed using one of the
<link doc="../../pgp_keys.xml">PGP public keys</link>.
</para>
</section>
<section id="considerations" name="Special considerations">
<para>
njs does not evaluate dynamic code,
especially code received from the network, in any way.
The only way to evaluate that code using njs
is to configure the
<link doc="../http/ngx_http_js_module.xml" id="js_import">js_import</link>
directive in nginx.
JavaScript code is loaded once during nginx start.
</para>
<para>
In the nginx/njs threat model, JavaScript code is considered a trusted source
in the same way as <literal>nginx.conf</literal> and sites certificates.
What this means in practice:
<list type="bullet">
<listitem>
memory disclosure and other security issues
triggered by JavaScript code modification
are not considered security vulnerabilities, but rather ordinary bugs
</listitem>
<listitem>
measures should be taken for protecting JavaScript code used by njs
</listitem>
<listitem>
if no <link doc="../http/ngx_http_js_module.xml" id="js_import">js_import</link>
directives are present in <literal>nginx.conf</literal>,
nginx is safe from JavaScript-related vulnerabilities
</listitem>
</list>
</para>
</section>
<section id="advisories" name="Advisories">
<security>
<item name="Heap buffer overflow in js_fetch_proxy"
severity="medium"
advisory="https://my.f5.com/manage/s/article/K000161307"
cve="2026-8711"
good="0.9.9+"
vulnerable="0.9.4-0.9.8">
</item>
</security>
</section>
</article>
