CVE-2021-46463 – CVE-2021-46463 is a critical type confusion vul... (How to Fix)

Q: What is the severity of CVE-2021-46463?

CVE-2021-46463 has a CVSS score of 9.8 (CRITICAL). CVE-2021-46463 is a critical type confusion vulnerability in njs (NGINX JavaScript) that allows attackers to hijack control flow and potentially execute arbitrary code. It affects NGINX servers using njs modules through version 0.7.1. Attackers could exploit this to compromise NGINX instances and potentially gain server access.

📋 TL;DR

CVE-2021-46463 is a critical type confusion vulnerability in njs (NGINX JavaScript) that allows attackers to hijack control flow and potentially execute arbitrary code. It affects NGINX servers using njs modules through version 0.7.1. Attackers could exploit this to compromise NGINX instances and potentially gain server access.

💻 Affected Systems

Products:

NGINX with njs module
NGINX Plus with njs module

Versions: njs versions through 0.7.1

Operating Systems: All platforms running affected njs versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if njs module is loaded and used in NGINX configuration. NGINX without njs is not affected.

📦 What is this software?

Njs by F5

View all CVEs affecting Njs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete server compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Denial of service or limited code execution within the NGINX worker process context.

🟢

If Mitigated

Limited impact if NGINX runs with minimal privileges, proper sandboxing, and network segmentation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires sending crafted requests to NGINX endpoints using njs functionality. No public exploit code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: njs 0.7.2 and later

Vendor Advisory: https://github.com/nginx/njs/commit/6a40a85ff239497c6458c7dbef18f6a2736fe992

Restart Required: Yes

Instructions:

1. Update njs to version 0.7.2 or later. 2. Recompile NGINX with updated njs if using source build. 3. Restart NGINX service. 4. For NGINX Plus, update through official package repositories.

🔧 Temporary Workarounds

Disable njs module

linux

Remove or comment out njs module loading from NGINX configuration

# Edit nginx.conf and remove/comment: load_module modules/ngx_http_js_module.so;
# Then restart: systemctl restart nginx

🧯 If You Can't Patch

Implement strict network access controls to limit NGINX exposure
Run NGINX with minimal privileges and in isolated containers

🔍 How to Verify

Check if Vulnerable:

Check njs version: njs -v 2>&1 | head -1

Check Version:

njs -v

Verify Fix Applied:

Verify njs version is 0.7.2 or higher: njs -v

📡 Detection & Monitoring

Log Indicators:

Unusual NGINX worker process crashes
Suspicious JavaScript execution errors in njs logs

Network Indicators:

Unusual requests to endpoints using njs functionality
Abnormal traffic patterns to NGINX

SIEM Query:

source="nginx_access.log" AND (status>=500 OR uri CONTAINS "js")

📊 Metadata

CVE ID: CVE-2021-46463

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-843

Published: February 14, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/nginx/njs/commit/6a40a85ff239497c6458c7dbef18f6a2736fe992 Patch,Third Party Advisory
https://github.com/nginx/njs/issues/447 Exploit,Issue Tracking,Patch,Third Party Advisory
https://security.netapp.com/advisory/ntap-20220303-0007/ Third Party Advisory
https://github.com/nginx/njs/commit/6a40a85ff239497c6458c7dbef18f6a2736fe992 Patch,Third Party Advisory
https://github.com/nginx/njs/issues/447 Exploit,Issue Tracking,Patch,Third Party Advisory
https://security.netapp.com/advisory/ntap-20220303-0007/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-46463, you might also want to check these: