Stored Cross-Site Scripting Vulnerability in Sonatype Nexus Repository
CVE-2025-13488

5.1MEDIUM

Key Information:

Vendor

Sonatype

Status
Nexus Repository
Vendor
CVE Published:
4 December 2025

What is CVE-2025-13488?

A regression in version 3.83.0 of Sonatype Nexus Repository has resulted in the omission of a crucial security header for certain user-uploaded content. This vulnerability allows an authenticated attacker, who possesses repository upload privileges, to exploit a stored cross-site scripting (XSS) flaw that operates in the context of users. Successful exploitation may compromise user data and lead to further attacks. Users are advised to review the provided resources and apply necessary patches to ensure their repository remains secure.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Nexus Repository 3.83.0 <= 3.86.2

References

https://help.sonatype.com/en/sonatype-nexus-repository-3-...
patch
https://support.sonatype.com/hc/en-us/articles/4689614276...
vendor-advisory

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Seif Elsallamy / @0x21SAFE
JSON
.