Sonatype Nexus Security Advisory
Date: October 8, 2025
Affected Versions: All Sonatype Nexus Repository Manager 2.x OSS/Pro versions
Summary:
A vulnerability has been discovered in Nexus Repository 2.
An attacker can leverage the Remote Browser Plugin to send arbitrary HTTP GET requests to attacker-controlled servers. If the affected Nexus Repository Manager 2 instance is configured with authentication for a proxy repository, credentials may be leaked to the attacker. This vulnerability does not require authentication to exploit.
Nexus Repository Manager 2 reached End-of-Life in June 2025 and does not receive security patches. Sonatype will not release a fix for this issue.
Recommendation:
Sonatype Nexus Repository Manager 2.x is End-of-Life and should be considered insecure for continued use. We strongly encourage remaining deployments to migrate to Sonatype Nexus Repository 3.
If migration is not immediately possible, we recommend the following mitigations:
- Disable or remove the Remote Browser Plugin in Nexus Repository 2.x.
- Place Nexus Repository Manager 2.x instances behind a restrictive reverse proxy or firewall that limits outbound connections.
Credit:
This issue was discovered and reported responsibly by Michael Stepankin at GitHub Security Lab via Sonatype’s Bug Bounty Program.
Frequently Asked Questions:
Q: What is the risk associated with this vulnerability?
A: An unauthenticated attacker can use the Remote Browser Plugin to send arbitrary HTTP requests to attacker-controlled servers. If a proxy repository is configured with authentication, credentials for that repository may be leaked.
Q: What preconditions must be met in order to be vulnerable?
A: The Nexus Repository 2.x instance must have the Remote Browser Plugin enabled (enabled by default). If a proxy repository has authentication configured, its credentials are at risk of being exposed.
Q: Are there implications associated with this advisory itself?
A: Disclosure means malicious actors may attempt to exploit the vulnerability. While we are limiting details in this advisory, organizations running Nexus Repository 2 should treat this as a critical risk and take immediate action.
Q: Where can I obtain more information associated with the vulnerability?
A: Out of caution for our user community, we are limiting the technical details shared.
Q: Why is Sonatype making this information available?
A: As part of our responsible disclosure process, we are making this information available to help organizations protect themselves and encourage immediate migration away from unsupported versions of Nexus Repository.
Q: How do I remove the Remote Browser Plugin?
A: How to Remove the RRB Plugin from Nexus Repository 2 Pro and OSS
1. Stop Nexus Repository
Before making any changes, stop the Nexus service:
<install_dir>/bin/nexus stopOr, if managed as a system service:
sudo systemctl stop nexus2. Locate the Plugin Directory
Navigate to the plugin repository directory inside the Nexus installation:
cd <nexus_install_dir>/nexus/WEB-INF/plugin-repository/Look for the RRB plugin folder:
ls | grep nexus-rrb-plugin3. Delete the RRB Plugin
Remove the entire RRB plugin directory:
rm -rf nexus-rrb-plugin-*4. Start Nexus Repository
After removal, restart the service:
<install_dir>/bin/nexus startOr:
sudo systemctl start nexusThe plugin is now removed and will no longer load. When viewing a repository, the Browse Remote tab will no longer be available.