CVE-2025-13488

Vulnerability

Details

The vulnerability arises from a regression introduced in Sonatype Nexus Repository version 3.83.0, where a specific security header is no longer applied to certain user-uploaded content served from repositories [1]. This header typically prevents browsers from interpreting files as executable scripts, so its absence can allow files to be executed in the user's browser context.

Attack

Vector and Prerequisites

An attacker must have valid authentication to the Nexus Repository instance and possess upload privileges (e.g., the ability to upload files to a repository) [1]. The attacker can then upload a file containing malicious script code. When another user accesses, views, or downloads the uploaded file, the missing security header fails to block the script from executing in the browser, leading to stored cross-site scripting (XSS) [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to theft of session cookies, impersonation of the user, unauthorized actions on the repository, or exfiltration of sensitive data [1]. The vulnerability is rated Medium severity (CVSS not stated in sources) because it requires authenticated access and upload rights, but it can affect any user who interacts with the malicious content.

Mitigation

Status

Sonatype has addressed this issue in Nexus Repository version 3.87.2 or later [1]. Administrators should upgrade to at least version 3.87.2 to restore the missing security header. No workaround is described in the advisory; however, restricting upload privileges to trusted users and enabling Content Security Policy (CSP) headers may reduce risk prior to patching.