SONATYPE NEXUS REPOSITORY
Upgrade Your Repository
Critical Security Risks Found in Older OSS Versions
Critical security risks have been detected in outdated Nexus Repository OSS versions. These risks have been addressed, but older versions of Nexus Repository using OrientDB contain unpatchable, high-severity vulnerabilities that attackers actively exploit. Protect your software supply chain by upgrading today.
Update Your Database to Patch Critical Vulnerabilities
You’re currently running a version of Nexus Repository OSS that relies on an older architecture with outdated libraries and frameworks. All releases below 3.70.5 contain known, high-severity vulnerabilities that attackers actively exploit. These issues have been addressed, but can’t be fully patched on the legacy OrientDB-based stack, which is why upgrading is the only reliable way to secure your environment.
Critical Vulnerabilities
These are critical (CVSS 9–10) vulnerabilities that attackers actively look for when targeting developer infrastructure. They pose real, immediate risk to anyone running older versions. The list below is a snapshot pulled from a representative SBOM of affected releases and a clear signal that it’s time to migrate to a supported, secure version.
|
Library / Component |
Threat Score |
Type of Risk |
Why It Matters |
|---|---|---|---|
| DOMPurify 2.3.10 |
10
|
XSS Bypass
|
Allows malicious scripts to run in the UI, potentially taking over admin sessions.
|
| XStream 1.4.20 |
9
|
Remote Code Execution
|
Crafted XML input can execute system commands on your server.
|
| Commons-Collections 3.2.2 |
9
|
RCE Gadget Chain
|
One of the most widely exploited deserialization paths for total host compromise.
|
| Jetty Server 9.4.x |
9
|
Request Smuggling / DoS
|
End-of-life server vulnerable to authentication bypass and service disruption.
|
| Keycloak SAML 12.x |
9
|
Auth Bypass
|
Attackers may impersonate users — including admins.
|
| Commons FileUpload 1.5 |
9
|
Arbitrary File Upload
|
Malicious files or shells can be placed directly on the server.
|
Library / Component
| DOMPurify 2.3.10 |
10
|
| XStream 1.4.20 |
9
|
| Commons-Collections 3.2.2 |
9
|
| Jetty Server 9.4.x |
9
|
| Keycloak SAML 12.x |
9
|
| Commons FileUpload 1.5 |
9
|
Threat Score
| DOMPurify 2.3.10 |
XSS Bypass
|
| XStream 1.4.20 |
Remote Code Execution
|
| Commons-Collections 3.2.2 |
RCE Gadget Chain
|
| Jetty Server 9.4.x |
Request Smuggling / DoS
|
| Keycloak SAML 12.x |
Auth Bypass
|
| Commons FileUpload 1.5 |
Arbitrary File Upload
|
Type of Risk
| DOMPurify 2.3.10 |
Allows malicious scripts to run in the UI, potentially taking over admin sessions.
|
| XStream 1.4.20 |
Crafted XML input can execute system commands on your server.
|
| Commons-Collections 3.2.2 |
One of the most widely exploited deserialization paths for total host compromise.
|
| Jetty Server 9.4.x |
End-of-life server vulnerable to authentication bypass and service disruption.
|
| Keycloak SAML 12.x |
Attackers may impersonate users — including admins.
|
| Commons FileUpload 1.5 |
Malicious files or shells can be placed directly on the server.
|
Why It Matters
| DOMPurify 2.3.10 |
|
| XStream 1.4.20 |
|
| Commons-Collections 3.2.2 |
|
| Jetty Server 9.4.x |
|
| Keycloak SAML 12.x |
|
| Commons FileUpload 1.5 |
|
These vulnerabilities cannot be fully addressed without upgrading the underlying architecture.
What's the Risk?
Loss of Build Integrity
Compromise build pipelines by allowing attackers to inject malicious components
Exfiltrated Credentials
Risk of secrets and credential exfiltration for data stored on or near the repo
Remote Code Execution
Workflow Corruption
Attackers can crash or disrupt developer workflows, stalling releases
Unauthorized Admin Access
Open Source Malware
How to Secure Your Repository
Migrating off your current release is critical to maintaining a secure repository instance. You can either move to the cloud for improved security, simplified management, and scalability or remain in a self-hosted and upgrade your database to PostgreSQL to mitigate your risk.
Option A: Move to Repository Cloud (Recommended)
Sonatype makes moving to Nexus Repository Cloud simple and predictable. Whether you choose to manage the transfer independently using Sonatype’s Instance Migrator or work directly with a Migration Specialist, we have you covered.
- Fastest way to eliminate legacy vulnerabilities
- Always up-to-date and patched
- No servers to maintain
- Migrate on your own or take advantage of our migration services for expert assistance
Option B: Migrate to PostgreSQL Database
Not ready to migrate to the cloud? Upgrading to a Postgres-backed release removes the vulnerable OrientDB stack and keeps your environment secure without changing how your teams work.
- Removes OrientDB risks
- Uses modern, supported libraries
- Compatible with existing automation
- Migrate on your own or take advantage of our migration services for expert assistance
Don't Leave Your Supply Chain Exposed
Upgrading today protects your developers, your pipelines, and your customers.
Upgrade to the Cloud
