CVE-2022-43286 is a critical heap-use-after-free vulnerability identified in Nginx NJS version 0.7.2. NJS is a scripting language used within Nginx to extend its capabilities, including JSON processing. The vulnerability arises from an illegal memory copy operation within the function njs_json_parse_iterator_call located in the njs_json.c source file. Specifically, this bug causes the program to use memory after it has been freed, a classic use-after-free flaw categorized under CWE-416. This type of vulnerability can lead to undefined behavior such as application crashes, memory corruption, or arbitrary code execution. The CVSS v3.1 base score of 9.8 reflects the high severity of this issue, indicating that it can be exploited remotely (AV:N), with no privileges required (PR:N), no user interaction needed (UI:N), and it impacts confidentiality, integrity, and availability (C:H/I:H/A:H). Although no known exploits have been reported in the wild yet, the vulnerability's characteristics make it a prime candidate for exploitation by attackers aiming to compromise web servers running Nginx with NJS scripting enabled. The lack of specific affected product versions beyond NJS v0.7.2 suggests that users of this version or earlier may be vulnerable. Since NJS is often embedded in Nginx deployments for advanced scripting, any web infrastructure using this configuration is at risk. The vulnerability could allow attackers to execute arbitrary code remotely, potentially taking full control over the affected server, leading to data breaches, service disruption, or use of the compromised server as a pivot point for further attacks.

For European organizations, the impact of CVE-2022-43286 can be substantial. Many enterprises, government agencies, and service providers across Europe rely on Nginx as a high-performance web server or reverse proxy, often enhanced with NJS for custom scripting and JSON handling. Exploitation of this vulnerability could lead to unauthorized access, data theft, or complete system compromise, affecting confidentiality, integrity, and availability of critical services. This is particularly concerning for sectors such as finance, healthcare, telecommunications, and public administration, where sensitive personal and operational data is processed. Additionally, disruption of web services could impact business continuity and trust. Given the vulnerability requires no authentication or user interaction and can be exploited remotely, attackers could launch automated attacks at scale, increasing the risk of widespread impact. The absence of known exploits in the wild currently provides a window for mitigation, but the critical severity score necessitates urgent attention to prevent potential future attacks.

Organizations should immediately verify if they are using Nginx with NJS version 0.7.2 or earlier. Since no official patch links are provided in the information, users should monitor the official Nginx and NJS repositories and security advisories for patches or updates addressing this vulnerability. In the interim, consider disabling NJS scripting if it is not essential to reduce the attack surface. For deployments requiring NJS, isolate these servers behind additional security layers such as web application firewalls (WAFs) configured to detect and block suspicious JSON parsing or malformed requests. Employ runtime application self-protection (RASP) tools to monitor for anomalous memory usage patterns. Regularly audit and update all components of the web infrastructure to the latest stable versions. Implement network segmentation to limit the impact of a potential compromise. Finally, conduct thorough incident response planning and ensure backups are current to enable rapid recovery if exploitation occurs.