CVE-2025-11864
📋 TL;DR
This vulnerability allows remote attackers to perform server-side request forgery (SSRF) attacks against NucleoidAI Nucleoid servers. Attackers can manipulate outbound request parameters to make the server send requests to internal or external systems. This affects all deployments running Nucleoid up to version 0.7.10.
💻 Affected Systems
- NucleoidAI Nucleoid
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access internal services, exfiltrate sensitive data, or pivot to attack other internal systems by using the vulnerable server as a proxy.
Likely Case
Information disclosure from internal services, potential data exfiltration, or denial of service through resource exhaustion.
If Mitigated
Limited impact if network segmentation restricts outbound connections and input validation is implemented.
🎯 Exploit Status
The vulnerability description suggests remote exploitation without authentication. Attackers need to manipulate https/ip/port/path/headers parameters.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.7.11 or later
Vendor Advisory: https://github.com/NucleoidAI/Nucleoid
Restart Required: Yes
Instructions:
1. Check current version. 2. Update to Nucleoid 0.7.11 or later. 3. Restart the Nucleoid service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation for all parameters passed to the Outbound Request Handler
Network Segmentation
allRestrict outbound network connections from Nucleoid servers to only necessary destinations
🧯 If You Can't Patch
- Implement strict network egress filtering to limit outbound connections from Nucleoid servers
- Deploy a web application firewall (WAF) with SSRF protection rules
🔍 How to Verify
Check if Vulnerable:
Check the Nucleoid version. If version is 0.7.10 or earlier, the system is vulnerable.Check Version:
Check package.json or run: node -e "console.log(require('./package.json').version)" from Nucleoid installation directoryVerify Fix Applied:
Verify the Nucleoid version is 0.7.11 or later and test that outbound request parameters are properly validated.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound requests from Nucleoid server
- Requests to internal IP addresses or unexpected domains
- Multiple failed outbound connection attempts
Network Indicators:
- Outbound connections from Nucleoid server to unexpected destinations
- Unusual traffic patterns from Nucleoid server
SIEM Query:
source="nucleoid" AND (dest_ip IN internal_ranges OR dest_domain NOT IN allowed_domains)