Sonatype Nexus Security Advisory
Date: December 4, 2025
Affected Versions: Sonatype Nexus Repository 3.x CE/Pro versions 3.83.0 through 3.86.2
Fixed in Version: Sonatype Nexus Repository CE/Pro version 3.87.0
Summary
A vulnerability has been discovered in Nexus Repository 3 requiring immediate action.
Due to a regression introduced in version 3.83.0, a security header is no longer applied to certain user-uploaded content served from repositories. This may allow an authenticated attacker with repository upload privileges to exploit a stored cross-site scripting (XSS) vulnerability with user context.
We have mitigated the issue with an internal code change. This vulnerability was identified by an external researcher and has been verified by our security team.
Recommendation
We are highly recommending all affected instances of Sonatype Nexus Repository 3 be upgraded to Nexus Repository version 3.87.0 or later. Download the latest version from the following location: https://help.sonatype.com/repomanager3/download
Immediate Mitigation Options
Upgrading Nexus Repository is the recommended approach for eliminating this vulnerability. If you cannot upgrade immediately, consider the following temporary mitigations:
- Set “Content Disposition” in repository settings to “attachment”. This will download files from repositories, instead of letting the browser interpret potential XSS exploits.
- Configure a reverse proxy to add the Content-Security-Policy sandbox header for content served from
/repository/paths.
Credit
This issue was discovered and reported responsibly by Seif Elsallamy / @0x21SAFE via Sonatype’s Bug Bounty Program.
Support
If you run into any problems, or have any questions/concerns, please contact us by filing a ticket at https://support.sonatype.com.
Frequently Asked Questions
Q: What is the risk associated with this vulnerability?
A: An authenticated user with repository upload privileges may be able to perform privilege escalation, potentially gaining elevated access to the Nexus Repository instance.
Q: What preconditions must be met in order to be vulnerable?
A: An attacker must have authenticated access to a Nexus Repository 3 instance (versions 3.83.0 through 3.86.2) with permissions to upload artifacts to at least one repository. Alternatively, if an attacker can compromise a repository being proxied by the target Nexus Repository instance, malicious content could be delivered through that proxy connection without direct upload access to the target instance.
Q: What types of repositories are affected?
A: All repository types are affected: hosted repositories (where artifacts are uploaded directly), proxy repositories (which cache content from remote repositories), and group repositories (which aggregate multiple repositories). Organizations should assess their exposure across all repository types, including evaluating the security posture of any remote repositories being proxied.
Q: Why is Sonatype making this information available?
A: This is part of a responsible disclosure process. Given the widespread usage of Sonatype Nexus Repository 3, notifying the user base will invariably lead to broad dissemination. We are taking a concerted and proactive approach in our outreach activities in an effort to achieve the most rapid remediation possible.