Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

CVE-2025-11864: Server-Side Request Forgery in NucleoidAI Nucleoid

0
Medium
VulnerabilityCVE-2025-11864cvecve-2025-11864
Published: Thu Oct 16 2025 (10/16/2025, 21:02:05 UTC)
Source: CVE Database V5
Vendor/Project: NucleoidAI
Product: Nucleoid

Description

A vulnerability was identified in NucleoidAI Nucleoid up to 0.7.10. The impacted element is the function extension.apply of the file /src/cluster.ts of the component Outbound Request Handler. Such manipulation of the argument https/ip/port/path/headers leads to server-side request forgery. The attack may be performed from remote.

AI-Powered Analysis

AILast updated: 10/16/2025, 21:29:01 UTC

Technical Analysis

CVE-2025-11864 is a server-side request forgery vulnerability found in NucleoidAI's Nucleoid product, specifically in versions 0.7.0 through 0.7.10. The vulnerability resides in the function extension.apply located in the /src/cluster.ts file within the Outbound Request Handler component. This function processes arguments related to outbound HTTP requests, including https/ip/port/path/headers. Due to insufficient validation or sanitization of these inputs, an attacker can remotely craft malicious requests that cause the server to initiate unintended HTTP requests to arbitrary destinations. This can lead to unauthorized internal network scanning, access to sensitive internal resources, or interaction with external malicious endpoints. The vulnerability does not require any authentication or user interaction, making it remotely exploitable over the network. The CVSS 4.0 base score is 6.9, reflecting medium severity with network attack vector, low complexity, and no privileges required. The impact on confidentiality, integrity, and availability is limited but notable, as SSRF can be a stepping stone for further attacks such as data exfiltration or lateral movement. No public exploits or patches are currently available, so organizations must monitor vendor advisories closely. The vulnerability affects all listed versions up to 0.7.10, indicating that upgrading beyond this version or applying vendor patches when released is critical. Given Nucleoid's role in cloud-native and container orchestration environments, exploitation could compromise cloud infrastructure components or internal APIs.

Potential Impact

For European organizations, the SSRF vulnerability in Nucleoid could lead to unauthorized internal network access, potentially exposing sensitive data or internal services not intended for public access. Attackers could leverage this to perform reconnaissance, access metadata services in cloud environments, or pivot to other internal systems. This risk is particularly relevant for organizations using Nucleoid in cloud-native deployments, microservices architectures, or hybrid cloud environments common in Europe. The impact on confidentiality is moderate due to potential data exposure, while integrity and availability impacts are lower but possible if attackers manipulate internal services. The lack of authentication requirement increases the risk of exploitation by external threat actors. Although no known exploits exist yet, the medium severity score and ease of exploitation warrant proactive mitigation. Industries such as finance, healthcare, and critical infrastructure in Europe, which rely heavily on secure cloud deployments, could be disproportionately affected. Additionally, regulatory compliance frameworks like GDPR emphasize protecting internal data flows, making SSRF vulnerabilities a compliance risk.

Mitigation Recommendations

1. Monitor NucleoidAI vendor channels for official patches addressing CVE-2025-11864 and apply them promptly once available. 2. Implement strict input validation and sanitization on all parameters related to outbound requests, especially https/ip/port/path/headers, to prevent injection of malicious values. 3. Restrict outbound network access from Nucleoid servers using network segmentation and firewall rules to limit requests to only trusted destinations. 4. Employ egress filtering and proxy controls to monitor and block suspicious outbound requests originating from Nucleoid instances. 5. Conduct regular security assessments and penetration testing focused on SSRF and related vulnerabilities within cloud-native environments. 6. Use runtime application self-protection (RASP) or Web Application Firewalls (WAFs) capable of detecting and blocking SSRF attack patterns. 7. Educate development and DevOps teams on secure coding practices related to outbound request handling. 8. Log and monitor outbound requests for anomalies that could indicate exploitation attempts. 9. Consider deploying network-level anomaly detection systems to identify unusual internal traffic patterns caused by SSRF exploitation. 10. Review and limit permissions of Nucleoid components to minimize potential damage from successful exploitation.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
VulDB
Date Reserved
2025-10-16T14:28:29.618Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 68f160199f8a5dbaea0a238f

Added to database: 10/16/2025, 9:14:01 PM

Last enriched: 10/16/2025, 9:29:01 PM

Last updated: 10/19/2025, 4:47:39 AM

Views: 17

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats