CVEFinder.io

CVE-2020-19695

β›” critical
πŸ” Scan for this CVE
Summary

Buffer Overflow found in Nginx NJS allows a remote attacker to execute arbitrary code via the njs_object_property parameter of the njs/njs_vm.c function.

CVSS Score
9.8
Critical
EPSS Score
1.4
Exploit Probability
Published Date
2023-04-04
First Seen: 2026-01-05
πŸ“Š Relative Risk Intelligence

This CVE is Very High Risk - more severe than 90.5% of all 326,604 vulnerabilities in our database.

#31,067
Top 10% most severe
Severity Percentile
🎯 CISA SSVC Assessment Updated: Feb 14, 2025
πŸ” Exploitation Status
Poc
Proof-of-concept available
βš™οΈ Automatable
YES
Can be exploited automatically
πŸ’₯ Technical Impact
Total
Complete system compromise possible
SSVC data provided by CISA
Last Modified 2025-08-12
Source NVD πŸ”—
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE IDs (Weakness Types)
CWE-120

πŸ“¦ Affected Products 1

Vendor Product Status Affected Versions
f5 njs Affected
< 0.3.4

πŸ”— References 1

https://github.com/nginx/njs/issues/188
Exploit Issue Tracking Patch

πŸ”— Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-8711 ⚠️ high 8.1 0.1 NGINX JavaScript has a vulnerability when the js_fetch_proxy directive is configured with at least one client-controlle... 2026-05-19
CVE-2023-27727 ⚠️ high 7.5 0.1 Nginx NJS v0.7.10 was discovered to contain a segmentation violation via the function njs_function_frame at src/njs_func... 2023-04-09
CVE-2023-27728 ⚠️ high 7.5 0.1 Nginx NJS v0.7.10 was discovered to contain a segmentation violation via the function njs_dump_is_recursive at src/njs_v... 2023-04-09
CVE-2023-27729 ⚠️ high 7.5 0.1 Nginx NJS v0.7.10 was discovered to contain an illegal memcpy via the function njs_vmcode_return at src/njs_vmcode.c. 2023-04-09
CVE-2023-27730 ⚠️ high 7.5 0.1 Nginx NJS v0.7.10 was discovered to contain a segmentation violation via the function njs_lvlhsh_find at src/njs_lvlhsh.... 2023-04-09
CVE-2020-19692 β›” critical 9.8 1.3 Buffer Overflow vulnerabilty found in Nginx NJS v.0feca92 allows a remote attacker to execute arbitrary code via the njs... 2023-04-04
These CVEs affect the same products