Server-Side Request Forgery in NucleoidAI Nucleoid
CVE-2025-11864

6.9MEDIUM

Key Information:

Vendor: Nucleoidai
Status: Nucleoid
Vendor: CVE Published:; 16 October 2025

What is CVE-2025-11864?

A vulnerability has been discovered in NucleoidAI Nucleoid versions up to 0.7.10 within the outbound request handler. The issue resides in the function 'extension.apply' located in /src/cluster.ts. This flaw allows an attacker to manipulate arguments related to remote server requests, leading to potential exploitation via server-side request forgery (SSRF). Such an attack can be executed remotely, posing a significant risk to server integrity and confidentiality.

Affected Version(s)

Nucleoid 0.7.0

Nucleoid 0.7.1

Nucleoid 0.7.2

References

https://vuldb.com/?id.328809

vdb-entrytechnical-description

https://vuldb.com/?ctiid.328809

signaturepermissions-required

https://vuldb.com/?submit.669928

third-party-advisory

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 16, 2025
Vulnerability Reserved
Oct 16, 2025

Credit

lakshay12311 (VulDB User)

JSON