Description
Server-Side Request Forgery (SSRF) in the Remote Browser Plugin in Sonatype Nexus Repository 2.x up to and including 2.15.2 allows unauthenticated remote attackers to exfiltrate proxy repository credentials via crafted HTTP requests.
References (1)
Core 1
Core References
Various Sources vendor-advisory
https://support.sonatype.com/hc/en-us/articles/45363201583635
Scores
CVSS v4
8.7
EPSS
0.0046
EPSS Percentile
36.4%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (1)
Sonatype/Nexus Repository
2.0.0 - 2.15.2
Published
Oct 08, 2025
Tracked Since
Feb 18, 2026