SONATYPE NEXUS REPOSITORY
Upgrade Your Repository
Critical Security Risks Found in Older OSS Versions
Critical security risks have been detected in outdated Nexus Repository OSS versions. These risks have been addressed, but older versions of Nexus Repository using OrientDB contain unpatchable, high-severity vulnerabilities that attackers actively exploit. Protect your software supply chain by upgrading today.
Update Your Database to Patch Critical Vulnerabilities
You’re currently running a version of Nexus Repository OSS that relies on an older architecture with outdated libraries and frameworks. All releases below 3.70.5 contain known, high-severity vulnerabilities that attackers actively exploit. These issues have been addressed, but can’t be fully patched on the legacy OrientDB-based stack, which is why upgrading is the only reliable way to secure your environment.
Critical Vulnerabilities
These are critical (CVSS 9–10) vulnerabilities that attackers actively look for when targeting developer infrastructure. They pose real, immediate risk to anyone running older versions. The list below is a snapshot pulled from a representative SBOM of affected releases and a clear signal that it’s time to migrate to a supported, secure version.
|
Library / Component |
Threat Score |
Type of Risk |
Why It Matters |
|---|---|---|---|
| Nexus Repository Task Management |
9.4
|
Authenticated Remote Code Execution
|
An authenticated attacker with specific permissions could execute arbitrary code, potentially leading to full compromise of the Nexus Repository server and its contents.
|
| Nexus Repository Internal Database Component |
9.2
|
Hardcoded Credential / Unauthorized Access
|
Under affected conditions, an unauthenticated attacker with network access could gain unauthorized database access and execute commands on the host system.
|
| DOMPurify 2.3.10 |
9.8
|
XSS Bypass
|
Allows malicious scripts to run in the UI, potentially taking over admin sessions.
|
| Jetty Server 9.4.x |
8.8
|
Request Smuggling / DoS
|
End-of-life server vulnerable to authentication bypass and service disruption.
|
Library / Component
| Nexus Repository Task Management |
9.4
|
| Nexus Repository Internal Database Component |
9.2
|
| DOMPurify 2.3.10 |
9.8
|
| Jetty Server 9.4.x |
8.8
|
Threat Score
| Nexus Repository Task Management |
Authenticated Remote Code Execution
|
| Nexus Repository Internal Database Component |
Hardcoded Credential / Unauthorized Access
|
| DOMPurify 2.3.10 |
XSS Bypass
|
| Jetty Server 9.4.x |
Request Smuggling / DoS
|
Type of Risk
| Nexus Repository Task Management |
An authenticated attacker with specific permissions could execute arbitrary code, potentially leading to full compromise of the Nexus Repository server and its contents.
|
| Nexus Repository Internal Database Component |
Under affected conditions, an unauthenticated attacker with network access could gain unauthorized database access and execute commands on the host system.
|
| DOMPurify 2.3.10 |
Allows malicious scripts to run in the UI, potentially taking over admin sessions.
|
| Jetty Server 9.4.x |
End-of-life server vulnerable to authentication bypass and service disruption.
|
Why It Matters
| Nexus Repository Task Management |
|
| Nexus Repository Internal Database Component |
|
| DOMPurify 2.3.10 |
|
| Jetty Server 9.4.x |
|
These vulnerabilities cannot be fully addressed without upgrading the underlying architecture.
What's the Risk?
Loss of Build Integrity
Compromise build pipelines by allowing attackers to inject malicious components
Exfiltrated Credentials
Risk of secrets and credential exfiltration for data stored on or near the repo
Remote Code Execution
Workflow Corruption
Attackers can crash or disrupt developer workflows, stalling releases
Unauthorized Admin Access
Open Source Malware
How to Secure Your Repository
Migrating off your current release is critical to maintaining a secure repository instance. You can either move to the cloud for improved security, simplified management, and scalability or remain in a self-hosted and upgrade your database to PostgreSQL to mitigate your risk.
Option A: Move to Repository Cloud (Recommended)
Sonatype makes moving to Nexus Repository Cloud simple and predictable. Whether you choose to manage the transfer independently using Sonatype’s Instance Migrator or work directly with a Migration Specialist, we have you covered.
- Fastest way to eliminate legacy vulnerabilities
- Always up-to-date and patched
- No servers to maintain
- Migrate on your own or take advantage of our migration services for expert assistance
Option B: Migrate to PostgreSQL Database
Not ready to migrate to the cloud? Upgrading to a Postgres-backed release removes the vulnerable OrientDB stack and keeps your environment secure without changing how your teams work.
- Removes OrientDB risks
- Uses modern, supported libraries
- Compatible with existing automation
- Migrate on your own or take advantage of our migration services for expert assistance
Don't Leave Your Supply Chain Exposed
Upgrading today protects your developers, your pipelines, and your customers.
Upgrade to the Cloud
