Release Notes

Security Fix

A critical security vulnerability has been found in 3.26.1 and earlier. For details, please see CVE-2020-13933.

Sonatype recommends that administrators upgrade to 3.27.0 or newer immediately.

Nexus Repository Manager 3.30.1

Includes a security fix for an Information Disclosure CVE. See the CVE-2021-30635 advisory for details.
Includes a security fix for an XSS vulnerability.  See CVE-2021-29159 advisory for details.
Includes a security fix for a Sensitive Information Disclosure CVE. See the CVE-2021-29158 advisory for details.

Sonatype recommends administrators running Nexus Repository Manager 3.30.0 and earlier to upgrade immediately.


These notes are a compilation of the improvements and significant bug fixes for Nexus Repository Manager 3.30.1.

See the complete release notes for all resolved issues.

General Improvements

  • [NEXUS-27384Upgrade Eclipse Jetty to 9.4.40.v20210413

Bug Fixes


  • [NEXUS-26789] Performance improvement to rebuilding GA maven-metadata.xml

NuGet V3

  • [NEXUS-26501] Package content is out of specification when downloading from NuGet hosted


  • [NEXUS-27013] Raw proxy is encoding slashes for outbound requests
  • [NEXUS-26855] Non-indexed raw proxy repositories cannot be browsed

Nexus Repository Manager 3.30.0


See the complete release notes for all resolved issues.

New and Noteworthy

Azure Blob Store Support


PRO Nexus Repository Manager now includes the ability to create blobstores backed by Microsoft's Azure Blob storage.

Protection Against Namespace Confusion

Users of Sonatype's Nexus Firewall can indicate which repositories include proprietary content. When combined with a new policy condition in Nexus IQ this can help prevent namespace attacks by quarantining external packages which use the same name as your proprietary internal components. For more details checkout our demo video.

GPG for Yum Repositories

Yum repositories can be configured with GPG support for binary signing.

Logjam Attack Prevention


To protect against the logjam attacks Nexus Repository Manager now enforces a minimum of 2048-bit keys.

Bug Fixes

NEXUS-26606 - Upgraded Jetty to 9.4.38.v20210224

NEXUS-23750 - Added support for Github's npm repositories

NEXUS-12022 - Allow configuring HTTPS Maven proxy repositories with pre-emptive authentication

Nexus Repository Manager 3.29.2


Users of 3.29.1

If you installed 3.29.1 and modified or created a cleanup policy the following is critical.

A bug in the implementation of the new user interface for Cleanup Policies resulted in a value displayed as days being interpreted as seconds. If you created or modified a cleanup policy while using 3.29.1 after updating you must confirm that these fields have the intended values.

Bug Fix

NEXUS-26251 - Interface for Cleanup Policies erroneously interprets and persists values as seconds instead of days