CVE Alert: CVE-2025-11864 - NucleoidAI - Nucleoid

CVE-2025-11864

HIGHNo exploitation known

A vulnerability was identified in NucleoidAI Nucleoid up to 0.7.10. The impacted element is the function extension.apply of the file /src/cluster.ts of the component Outbound Request Handler. Such manipulation of the argument https/ip/port/path/headers leads to server-side request forgery. The attack may be performed from remote.

CVSS v3.1 (7.3)

Vendor

NucleoidAI

Product

Nucleoid

Versions

0.7.0 | 0.7.1 | 0.7.2 | 0.7.3 | 0.7.4 | 0.7.5 | 0.7.6 | 0.7.7 | 0.7.8 | 0.7.9 | 0.7.10

CWE

CWE-918, Server-Side Request Forgery

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R

Published

2025-10-16T21:02:05.652Z

Updated

2025-10-16T21:02:05.652Z

References

https://vuldb.com/?id.328809

https://vuldb.com/?ctiid.328809

https://vuldb.com/?submit.669928

https://github.com/lakshayyverma/CVE-Discovery/blob/main/Nucleoid.md

AI Summary Analysis

Risk verdict

High risk of remote server-side request forgery; patching should be treated as a priority.

Why this matters

The flaw enables an attacker to coerce the outbound request mechanism into reaching arbitrary targets, potentially exfiltrating data or reaching internal services. No user interaction or authentication is required, increasing the likelihood of unnoticed impact in live environments and potential disruption of internal communications.

Most likely attack path

Exploitation requires no authentication and low attack complexity, with network-remote access available. An attacker can supply a crafted https/ip/port/path/headers argument to the extension.apply function, triggering outbound requests from the service to internal or downstream systems. If internal services are reachable, this may enable access to sensitive resources or pivoting within a network segment.

Who is most exposed

Organizations running this component in internet-facing or poorly segmented environments, or in cloud/microservice setups with outbound request handlers, are most at risk. Systems with permissive internal trust and visible outbound access are particularly vulnerable.

Detection ideas

Outbound HTTP/S requests to unusual or internal endpoints from the affected component.
Logs showing extension.apply handling crafted URLs or headers.
Spikes or anomalies in egress traffic to non-approved destinations.
IDS/WAF alerts for SSRF-like patterns or unusual port accesses.
Unexpected failures or retries in outbound request paths.

Mitigation and prioritisation

Upgrade to the fixed release or vendor-recommended version; verify patch applicability.
If immediate patching isn’t possible, disable or tightly constrain the outbound request capability.
Implement strict outbound allowlists and validate/normalise input URLs before processing.
Enable network egress controls and segment the affected component from critical internal services.
Plan a controlled upgrade in change-management windows; monitor egress for SSRF indicators.
Note: KEV/EPSS data is not present; treat as high-priority risk based on remote, unauthenticated access.

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon

Tags: CVE, cve-2025-11864, nucleoid, nucleoidai, OSINT, threatintel