skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
April 13, 2020

GHSL-2020-015: Remote Code Execution - Bypass of CVE-2018-16621 mitigations in Nexus Repository Manager

Alvaro Munoz


GHSL-2020-015 - Remote Code Execution - Bypass of CVE-2018-16621 mitigations


Nexus Repository Manager

Tested Version





The current mitigation for the EL injections reported in CVE-2018-16621 involves striping out the EL delimiters of the user-controlled data by using stripJavaEL method:

public String stripJavaEl(final String value) {
	if (value != null) {
		return value.replaceAll(“\\$+\\{, {);
	return null;

However, several bugs were found in Hibernate-Validation and Java EL which enable the EL expression engine to process EL expressions not wrapped by the standard delimiters ${}. The regular expression used in stripJavaEL will not match these delimiters and therefore it is possible to re-enable CVE-2018-16621.

These bugs have been reported to the corresponding vendors and will be fixed in future releases.

What follows is a list of all endpoints affected by this vulnerability:


This issue may lead to Remote Code execution by high-privilege users

Coordinated Disclosure Timeline


This issue was discovered and reported by GHSL team member @pwntester (Alvaro Muñoz).


You can contact the GHSL team at, please include the GHSL-2020-015 in any communication regarding this issue.