CVE-2022-43284 - Segmentation Violation in Nginx NJS ≤ v.7.4 Explained (**DISPUTED**)

In late 2022, a vulnerability was reported in the Nginx NJS project, tracked as CVE-2022-43284. Specifically, this issue was a segmentation fault that could be triggered in versions v.7.2 through v.7.4 via the function njs_scope_valid_value in the njs_scope.h file.

However, the NJS maintainers have disputed the significance of this vulnerability. They argue that NJS is not supposed to process untrusted input, making real-world exploitation unlikely in standard use cases. In this article, we'll break down what happened, review the technical details, and clarify what this means for developers.

What is Nginx NJS?

Nginx NJS is a JavaScript engine for Nginx, used mainly to write scripts that handle HTTP and Stream module requests and responses. You can use NJS to add programmable logic to Nginx's configuration.

What is CVE-2022-43284?

- Identifier: CVE-2022-43284

Affected Versions: Nginx NJS v.7.2 to v.7.4

- Description: "Nginx NJS v.7.2 to v.7.4 was discovered to contain a segmentation violation via njs_scope_valid_value at njs_scope.h."

Vulnerability Details

The bug is found in the internal function njs_scope_valid_value, declared in njs_scope.h. Due to a programming error, if you could provide specially crafted input to this function, it could lead to a segmentation violation (segfault), typically crashing the NJS process.

Note: Normally, only legitimate scripts and data set by the server operator reach this function. NJS is not designed to parse arbitrary, untrusted input coming from outside.

Here's a simplified pseudo-code reconstruction based on public issue trackers

// File: njs_scope.h

static njs_inline njs_value_t *
njs_scope_valid_value(njs_value_t *value)
{
    // Suppose there’s a missed null check or boundary check here:
    if (/* bad condition not caught */) {
        return NULL; // Would be dereferenced incorrectly later
    }
    return value;
}

An attacker able to pass a crafted value pointer (such as NULL or a corrupted pointer) might trigger a segmentation fault when the returned value is accessed.

Simulated Exploit Flow:
If a script or a module accidentally calls njs_scope_valid_value with invalid data (such as after a logic bug elsewhere), NJS could crash.

Proof of Concept (PoC)

As this function isn't directly exposed to external users, there isn’t an “exploit” per se in the typical sense. However, a mishandled value might cause a segfault:

// Hypothetical JS code triggering the error (simplified for illustration):
function invalid_scope_access() {
    var dangerous = some_internal_undefined_reference;
    // This could potentially lead to invalid value access,
    // which njs_scope_valid_value is supposed to check.
}
invalid_scope_access();

If NJS internally mishandles variable scope, and doesn't check properly, this may result in a crash.

The upstream maintainers noted

> "NJS does not operate on untrusted input. This is not a vulnerability in the traditional sense."

As most users control their NJS scripts and input, the risk is minimal unless you run code from untrusted users. This segmentation fault is mainly a programming bug, not a classic security issue, unless you purposely allow untrusted JS or data into your scripts—which is not recommended practice.

No significant risk.

- If you let users submit or run their own JS or influence NJS variables in ways you can’t control:

Upgrade NJS:

Get the latest version from Nginx's official repo or your package manager.

Official References

- CVE ID: CVE-2022-43284 at NIST NVD
- Upstream repository: nginx/njs GitHub
- Vulnerability discussion: Debian Bug Report
- NJS documentation: Official Nginx NJS Docs

Conclusion

CVE-2022-43284 does point to a real programming bug, but unless you intentionally feed untrusted or user-generated code and data into Nginx NJS, your risk is very low. The NJS maintainers do not consider this a security bug in a typical scenario.

Still, as a best practice, keep your Nginx and NJS up to date and avoid risky configurations. If you’re using NJS in production, stay aware of upstream advisories even about “disputed” vulnerabilities.


*Want to discuss more or have a similar bug to report? Join the Nginx community or file issues at nginx/njs GitHub.*

Timeline

Published on: 10/28/2022 21:15:00 UTC
Last modified on: 12/08/2022 18:19:00 UTC