Home

Description

Server-Side Request Forgery (SSRF) in the Remote Browser Plugin in Sonatype Nexus Repository 2.x up to and including 2.15.2 allows unauthenticated remote attackers to exfiltrate proxy repository credentials via crafted HTTP requests.

PUBLISHED Reserved 2025-09-02 | Published 2025-10-08 | Updated 2025-10-08 | Assigner Sonatype




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-918 Server-Side Request Forgery (SSRF)

Product status

Default status
unaffected

2.0.0 (semver)
affected

Credits

Michael Stepankin at GitHub Security Lab finder

References

support.sonatype.com/hc/en-us/articles/45363201583635 vendor-advisory

cve.org (CVE-2025-9868)

nvd.nist.gov (CVE-2025-9868)

Download JSON