Attention all Nuclei users! We're thrilled to announce a new Nuclei template release. This update will bring significant enhancements that will improve your overall experience. However, this release also includes breaking changes. To benefit from these improvements and avoid potential issues, please make sure to keep Nuclei engine updated to the latest version.
What's New in this Release?
There are three important changes being made. We're going to go over them one by one and discuss what the changes are as well as why we're implementing those changes.
1. Template Directory Restructure by Protocol Type
The new release introduces a restructured template directory, organized by protocol type. This update makes it easier for users to navigate and manage their templates effectively.
Initially, when Nuclei only supported HTTP protocol templates, templates were located in the root directory. As Nuclei evolved to support multiple protocols, other protocol templates were added to specific directories, while HTTP templates remained in the root directory. This caused reduced visibility for non-HTTP protocol templates and made the directory structure less organized.
With this update, we've moved HTTP protocol-based templates into the
http/ directory. We're doing this in order to provide more visibility to other protocol templates, align the structure of the HTTP directory with other protocol directories, and make it simpler for users to browse and manage their templates. Here is an example of what the new structure looks like.
- HTTP - subdirectory 1 - subdirectory 2 - DNS - subdirectory 1 - subdirectory 2 - NETWORK - subdirectory 1 - subdirectory 2 - TLS - subdirectory 1 - subdirectory 2 - ...
Nuclei v2.9.3 provides backward-compatible support, ensuring non-breaking effects for existing pipelines using public templates with the latest template directory restructuring. Make sure to update old path references to prevent future problems, as backward support will be removed in nuclei v2.9.5
2. CVE Templates to Include CPE and EPSS Score
The new release improves CVE templates by including CPE (Common Platform Enumeration) and EPSS (Exploitability Prediction Scoring System) scores. These additions provide users with more comprehensive information about vulnerabilities, helping them prioritize their remediation efforts.
The idea and the code contribution that made this possible are solely credited to sduc. Thank you for your contribution!
id: CVE-XXXX-XXXX info: name: Example Vulnerability author: pdteam severity: high classfication: cpe: cpe:/a:example_vendor:example_product:1.0.0 epss-score: 8.6
Having this information in the template also enable users to filter the template based on classification information using dsl based
-tc option, for example:
# Load all cve templates with epss score >= 0.7 nuclei -tc 'epss_score >= 0.7' # Load all the templates for specfic cpe nuclei -tc 'cpe == "cpe:2.3:a:fortinet:fortimail:*:*:*:*:*:*:*:*"' # Load all the templates with specfic cvss score nuclei -tc 'cvss_score >= 7.5'
3. Templates to Include max-request as metadata Information
Finally, this release adds a new attribute called
max-request in metadata section that shows the maximum number of requests a template can make. It helps users filter and select templates to run based on their resource constraints, making their workflow more efficient.
id: example_template info: name: Example Template author: pdteam severity: medium metadata: max-request: 10
Similar to classification-based filters, templates can be also filtered using newly added
max-request counter, for example -
# Load all templates making 1 request nuclei -tc 'max_request == 1' # Load all templates making maximum 5 request nuclei -tc 'max_request <= 5'
Due to the breaking changes introduced in this release, users must update to Nuclei version 2.9.3 or later to use the templates from the nuclei-templates project. Updating your Nuclei engine to the latest version will ensure a seamless transition and help you take full advantage of these enhancements.
Do I need to update nuclei engine?
Yes, you need to update/use the latest version of the nuclei engine 2.9.3 or later, to use public nuclei templates.
Do I need to update to nuclei templates?
No, nuclei-templates updates are automatic, latest public template will be downloaded/updated upon nuclei-templates project release.
My custom templates will be working, right?
Yes, we have added backward-compatible support for older templates in nuclei engine with a warning message. We suggest updating custom templates with the latest syntax before the release of nuclei v2.9.5 to avoid issues with loading oudated templates.
What changes do I need to make to custom templates?
Update with the latest protocol syntax i.e http: instead of requests: for http protocol-based template and tcp: instead of network: for the network protocol-based template.
Something is still not right with nuclei. What should I do?
In case it's still not working, We have added a flag -reset that removes all nuclei configuration and data files (including nuclei-templates). This fixes a minor bug that was in 2.9.3 for some users. This might not be needed for most users, but it is there just in case.
These essential updates are designed to make your Nuclei experience more seamless and efficient while addressing some common issue that OSS projects face as they begin to scale. We're excited to roll them out and continue to work with our amazing community of contributors, bug bounty hunters, and cybersecurity professionals as we continue to iterate and build up our selection of tools. Remember to upgrade your Nuclei engine promptly to take advantage of these enhancements and avoid any breaking changes.
For more information, check our releases page on GitHub.