Platform
nodejs
Component
nucleoidai/nucleoid
Fixed in
0.7.1
0.7.2
0.7.3
0.7.4
0.7.5
0.7.6
0.7.7
0.7.8
0.7.9
0.7.10
0.7.11
CVE-2025-11864 describes a server-side request forgery (SSRF) vulnerability discovered in NucleoidAI Nucleoid, a Node.js application. This flaw allows a remote attacker to manipulate outbound requests, potentially accessing internal resources or performing actions on behalf of the server. The vulnerability affects versions 0.7.0 through 0.7.10, and a fix is available in version 0.7.10.
The SSRF vulnerability in NucleoidAI Nucleoid allows an attacker to craft malicious requests that the server will execute. This can lead to several serious consequences. An attacker could potentially access internal services and resources that are not directly exposed to the internet, such as databases, internal APIs, or administrative interfaces. They might also be able to scan the internal network for other vulnerable systems. Furthermore, the attacker could potentially leverage the server to perform actions on other systems, effectively using the NucleoidAI Nucleoid instance as a proxy. The impact is amplified if the NucleoidAI Nucleoid instance is deployed in a sensitive environment or has access to critical data.
CVE-2025-11864 was publicly disclosed on 2025-10-16. The vulnerability's SSRF nature suggests a potentially low to medium exploitation probability, as SSRF attacks often require careful crafting of requests. No public proof-of-concept (POC) code has been identified as of the disclosure date. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-11864 is to upgrade NucleoidAI Nucleoid to version 0.7.10 or later, which contains the fix. If upgrading immediately is not possible, consider implementing temporary workarounds to restrict outbound requests. This could involve configuring a web application firewall (WAF) to block suspicious requests containing unusual hostnames or IP addresses. Another approach is to implement strict input validation on the request parameters, ensuring that they conform to expected formats. Carefully review and restrict the allowed protocols for outbound requests. After upgrading, verify the fix by attempting to craft an SSRF request and confirming that it is blocked or handled securely.
Update NucleoidAI Nucleoid to version 0.7.10 or higher. This version contains a fix for the Server-Side Request Forgery (SSRF) vulnerability in the outbound request handler. The update will mitigate the risk of remote attackers manipulating requests and accessing internal resources.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-11864 is a server-side request forgery vulnerability in NucleoidAI Nucleoid versions 0.7.0–0.7.10, allowing attackers to manipulate outbound requests and potentially access internal resources.
You are affected if you are running NucleoidAI Nucleoid versions 0.7.0 through 0.7.10. Upgrade to version 0.7.10 to mitigate the risk.
Upgrade NucleoidAI Nucleoid to version 0.7.10 or later. As a temporary workaround, configure a WAF or implement strict input validation on request parameters.
As of the disclosure date, there are no confirmed reports of active exploitation, but the SSRF nature of the vulnerability warrants caution.
Refer to the official NucleoidAI documentation and security advisories for the most up-to-date information regarding CVE-2025-11864.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.