njs-0.9.9 has been released with a fix for heap buffer overflow vulnerability in the js_fetch_proxy directive (CVE-2026-8711).
Additionally, the release features the new js_access access-phase handler, r.readRequestText() and related request body reading methods, r.readRequestForm(), and jsVarNames(). See js_access examples.
Below is a release summary generated by GitHub.
What's Changed
- Programmable HTTP Access Phase and Request Body Reading by @xeioex in #1044
- Fetch: fixed heap buffer overflow in proxy URL credentials. by @xeioex in #1055
- Coverity issues. by @xeioex in #1056
- HTTP: fixed r.return() with body in js_access. by @xeioex in #1057
- Fixed allocator mismatch in drain/drop. by @xeioex in #1062
- Fixed call argument value snapshotting. by @xeioex in #1060
- Modules: added jsVarNames() method. by @xeioex in #1061
- Version 0.9.9. by @xeioex in #1063
Full Changelog: 0.9.8...0.9.9