github projectdiscovery/nuclei v3.11.0

4 hours ago

What's Changed

⚠️ Breaking Change: Signed templates required for JavaScript protocol

Starting with v3.11.0, custom templates that use the javascript: protocol must be digitally signed before Nuclei will load or execute them. Unsigned JavaScript templates are now skipped during template loading and when referenced from workflows.

Why this change

This release continues the security hardening started in v3.10.0 (sandbox enforcement, network policy checks, stricter code-template handling, YAML include protections, and related fixes in #7469). The JavaScript protocol exposes Go-backed modules through Nuclei's JS runtime, which significantly increases attack surface compared with request-only templates. Requiring signatures brings JavaScript templates in line with the existing protections for code-protocol templates.

Who is affected

Scenario Impact
Default scans using nuclei-templates No action needed - official templates are pre-signed and verified with ProjectDiscovery's public key
Custom/private templates using javascript: Action required - sign templates before use
Templates using only flow: (e.g. flow: http(1)) without javascript: No change
Workflows referencing unsigned JavaScript sub-templates Those sub-templates are skipped

What to do

Sign your custom templates with:

nuclei -sign -t /path/to/your-template.yaml

See the Template Signing documentation for key generation, verification, and signing templates that reference external JavaScript or code files.


🔒 Security

  • feat(templates): require signatures for javascript templates by @dwisiswant0 in #7514

Other Changes

Full Changelog: v3.10.0...v3.11.0

Don't miss a new nuclei release

NewReleases is sending notifications on new releases.