Clarification on robots.txt Exposure and CVE-2024-4956 in Nexus Repository 3.69.0

sameer29nov · August 19, 2025, 10:30am

Hello There,

We are currently running Sonatype Nexus Repository version 3.69.0 as a Docker container.
During a recent security review, we observed that the robots.txt file is publicly accessible via:
https:///robots.txt

We are aware of the CVE-2024-4956 advisory, which was mitigated in versions after 3.68.0. However, we are seeking clarification on whether the presence and accessibility of robots.txt in our current version (3.69.0) poses any residual risk.

Our observations are
The file is accessible over the internet, but it does not exist in the /public directory of the Nexus container.
The contents of the file are:
User-agent: *
Disallow: /repository/
Disallow: /service/
Allow: /

Our doubts are
Is the presence of robots.txt in version 3.69.0 expected behaviour?
Does this file get served by default from another location in newer versions?
Is there any security implication or exploitability associated with this file in version 3.69.0?
Should we take any additional steps to restrict access to this file?

Any clarification or guidance would be greatly appreciated.

Regards,
SAM

rseddon · August 19, 2025, 1:10pm

Hi,

Yes, it is expected that you’ll still be able to access “/robots.txt” in via HTTP request in newer versions of Nexus repo.

The robots.txt file and other static resources are no longer served from the file system as of Nexus Repo 3.69.0, which mitigates CVE-2024-4956.

Regards,

Rich

Barath_Rajaratnam · February 20, 2026, 2:28pm

Can static files be accessed in 3.87, if so, is there documentation on how to do it.