Sonatype Nexus Security Advisory
Date: January 13, 2026
Affected Versions: Sonatype Nexus Repository 3.0.0 through * (CE/Pro)
Workaround available in Version: Sonatype Nexus Repository 3.88.0 (CE/Pro)
Summary
A Server-Side Request Forgery (SSRF) vulnerability exists in the proxy repository configuration of Nexus Repository 3. An authenticated administrator can configure a proxy repository with a remote storage URL that, when accessed by users, allows the server to make requests to unintended network destinations including cloud metadata services and internal networks.
This vulnerability requires administrator privileges to configure the malicious proxy repository and requires a user to access artifacts through that repository. Version 3.88.0 introduces enhanced URL validation capabilities that can restrict requests to unauthorized network destinations. However, this protection is disabled by default and requires explicit configuration to enable. Administrators must configure the private network validation settings after upgrading to be protected from this vulnerability.
This issue was discovered externally and reported responsibly by Kazuma Matsumoto of GMO Cybersecurity by IERAE, Inc. Sonatype has verified and addressed the vulnerability.
We are not aware of active exploitation of this vulnerability at the time of this announcement.
Updates
2026-02-17: The secure-by-default setting (nexus.proxy.allowPrivateNetworks=false) will not be enabled in 3.90.0 as previously described.
Recommendation
Customers running affected versions of Nexus Repository 3 should take the following actions:
1. Upgrade to version 3.88.0 or later
Download the latest version from Sonatype’s official download page.
2. Enable private network validation
IMPORTANT: Upgrading alone does not protect against this vulnerability. In version 3.88.0, private network validation is disabled by default and must be explicitly enabled. For detailed configuration instructions, see Securing Nexus Repository Manager.
3. Review existing configurations
After enabling protection, review existing proxy repository configurations for any suspicious remote storage URLs. Note that cloud metadata endpoints (169.254.169.254) are always blocked regardless of configuration.
Immediate Mitigation Options
For environments unable to upgrade immediately, consider the following temporary mitigations:
- Review and audit all proxy repository configurations, particularly the “Remote Storage URL” field
- Restrict administrator access to trusted personnel only
- Implement network-level egress filtering to prevent the Nexus Repository server from accessing cloud metadata endpoints (169.254.169.254) and sensitive internal network ranges
- Monitor proxy repository configuration changes through audit logs
These mitigations reduce risk but do not eliminate the vulnerability. Upgrading to version 3.88.0 and enabling private network validation is the complete remediation.
Credit
This issue was discovered and reported responsibly by Kazuma Matsumoto of GMO Cybersecurity by IERAE, Inc.
Frequently Asked Questions
Q: What is the risk associated with this vulnerability?
A: An attacker with administrator privileges could configure a proxy repository to access cloud instance metadata services or internal network resources. This could potentially lead to credential theft from cloud environments or unauthorized access to internal services. The attack requires both administrator access and subsequent user interaction with the configured repository.
Q: What preconditions must be met in order to be vulnerable?
A: The attacker must have: - Administrator-level privileges in Nexus Repository - Ability to create or modify proxy repository configurations - A user must then access artifacts through the maliciously configured proxy repository
Additionally, the Nexus Repository server must have network connectivity to the targeted internal resources or cloud metadata endpoints.
Q: Are there implications associated with this advisory itself?
A: While we provide sufficient information to understand the risk, we limit technical details to reduce the likelihood of exploitation. Administrators should assess whether their environment is at risk (particularly cloud deployments and those with access to sensitive internal networks) and take appropriate action to upgrade or implement mitigations.
Q: Where can I obtain more information associated with the vulnerability?
A: Due to the security-sensitive nature of this vulnerability, we are limiting public technical details. Customers who require additional information for security assessment purposes should contact Sonatype Support at https://support.sonatype.com.
Q: Why is Sonatype making this information available?
A: Sonatype follows responsible disclosure practices. We coordinate with security researchers through our bug bounty program and external reporting channels like JPCERT/CC, develop and test fixes, and proactively notify customers when security updates are available. This advisory enables customers to understand the risk and take appropriate action.
Q: Is upgrading to 3.88.0 sufficient to protect against this vulnerability?
A: No. Version 3.88.0 introduces the protection mechanism, but it is disabled by default. You must explicitly configure nexus.proxy.allowPrivateNetworks=false in nexus.properties or via the environment variable NEXUS_PROXY_ALLOWPRIVATENETWORKS=false to enable the protection. See the Recommendation section above for detailed configuration steps.
Q: Should I be concerned if I don’t use proxy repositories?
A: No. If you are not using proxy repositories in your Nexus Repository installation, this vulnerability does not affect your deployment. The vulnerability is specific to the proxy repository feature.
Q: Will enabling this protection break my existing proxy repositories that point to internal artifact repositories?
A: If you have legitimate proxy repositories pointing to internal IP addresses or private networks, you will need to explicitly allow them using the nexus.proxy.privateNetworks.allowedIPs or nexus.proxy.privateNetworks.allowedDomains configuration properties. Review your proxy repository configurations before enabling the protection to identify any internal repositories that need to be allowlisted.
Q: Are cloud metadata endpoints blocked automatically?
A: Yes. Cloud instance metadata addresses (169.254.169.254) are always blocked regardless of your private network validation configuration. This provides protection against the most critical attack vector even if you have not yet configured private network restrictions.