We are thrilled to bring you the new Nuclei v2.3.0! With this release, the entire core has seen a refactor and overhaul, focusing on modularity and future-proofing by adding the unit tests and integration tests.

The release also comes with many exciting new features. Some massive ones being headless support, TCP support, file support for local filesystem templates. Reporting modules have been added for Jira, Github, Gitlab, and many more along the way. The workflow system has been written from scratch with a focus on speed. Configuration files have arrived in Nuclei, allowing you to work with multiple Nuclei customizations for your different needs. A new clustering module has been added to identify identical HTTP requests and send a single request for them, reducing the scan time for large-scale scans. Offline HTTP support has been added too, for parsing raw HTTP responses from the disk and running templates on them!

Headless Requests

Headless support has been added to Nuclei, allowing the users to model the most complex of headless, browser-based interactions in an automated way. This opens up a whole new space of checks for Nuclei. DOM-based vulnerabilities like prototype pollution, DOM-XSS, etc., can be easily automated by users with Nuclei's headless mode.


Headless mode works on the concept of actions, where each action manipulates the browser to do something. For example, navigating to a URL, clicking a button, running a script, etc. With these powerful primitives, users can automate almost all kinds of actions for headless.

As an example, the templates below detect DOM XSS in [window.name](http://window.name) source for 3 sinks - eval, document.write and innerHTML.

id: window-name-domxss

  name: window.name DOM XSS
  author: pd-team
  severity: medium

  - steps:
      - action: setheader
          part: response
          key: Content-Security-Policy
          value: "default-src * 'unsafe-inline' 'unsafe-eval' data: blob:;"
      - action: script
          hook: true
          code: |
            !function(){function n(n){window.alerts.push(n)}function e(){var n;try{throw new Error("")}catch(e){n=e.stack||""}return(n=n.split("\n").map(function(n){return n.trim()})).splice("Error"==n[0]?2:1)}window.alerts=[],window.name="{{randstr_1}}'\"<>";var t=eval,r=(document.write,Object.getOwnPropertyDescriptor(Element.prototype,"innerHTML").set);Object.defineProperty(Element.prototype,"innerHTML",{set:function(t){return t.includes("{{randstr_1}}'\"<>")&&n({sink:"innerHTML",source:"window.name",code:t,stack:e()}),r.call(this,t)}}),eval=function(r){return r.includes("{{randstr_1}}'\"<>")&&n({sink:"eval",source:"window.name",code:r,stack:e()}),t.apply(this,arguments)},document.write=function(r){return r.includes("{{randstr_1}}'\"<>")&&n({sink:"document.write",source:"window.name",code:r,stack:e()}),t.apply(this,arguments)}}();
      - args:
          url: "{{BaseURL}}"
        action: navigate
      - action: waitload
      - action: script
        name: alerts
          code: "window.alerts"
      - type: word
        part: alerts
          - "sink:"
      - type: kval
        part: alerts
          - alerts

Complete documentation for headless protocol is available at https://nuclei.projectdiscovery.io/templating-guide/protocols/headless/.

Some example templates for Headless Protocol are also provided at https://nuclei.projectdiscovery.io/template-examples/headless.

TCP Requests

Nuclei now allows users to model TCP-based protocols through the familiar YAML-based DSL. This allows Nuclei to act as a fully automatable netcat, sending raw data over network sockets and performing matching/extracting with chained flows on top of it. Helper functions are supported to allow users to encode and decode data in different formats. Precise matching is also allowed by reading bytes from the response in chunks and running different matchers on them.


As an example, the template below detects an exposed Redis Server.

id: exposed-redis

  name: Redis Unauth Server
  author: pd-team
  severity: high
  reference: https://redis.io/topics/security

  - inputs:
      - data: "info\r\nquit\r\n"
      - "{{Hostname}}"
    read-size: 2048
    matchers-condition: and
      - type: word
          - "redis_version"
      - type: word
        negative: true
          - "redis_mode:sentinel"

Some example templates for Network Protocol are also provided at https://nuclei.projectdiscovery.io/template-examples/network/.

Complete documentation for network protocol is available at https://nuclei.projectdiscovery.io/templating-guide/protocols/network/.

File Requests

Files can now be processed by the nuclei engine with its matching and extracting capabilities. This allows users to write filesystem templates to detect misconfigurations/issues on the local system itself, making it a valuable tool for post-exploitation needs.


Complete control over extensions processed, and the data read is provided to the user. An example template to detect a Private Key is provided below.

id: private-key

  name: Private Key Detect
  author: pd-team
  severity: high

  - extensions:
      - all
      - .pub
    no-recursive: true
    max-size: 1024 # read very small chunk
      - type: word
          - "BEGIN PRIVATE KEY"
          - "BEGIN EC PRIVATE KEY"
          - "ssh-rsa"

Complete documentation for file protocol is available at https://nuclei.projectdiscovery.io/templating-guide/protocols/file/.

Some example templates for File Protocol are also provided at https://nuclei.projectdiscovery.io/template-examples/file/.

Issue Tracker Integration

The new release comes with built-in integration with Issue Trackers like Jira, Github, and Gitlab with many more on the way. This allows direct importing of issues generated by Nuclei into issue trackers with automatic deduplication.


This makes running Nuclei into CI/CD job very convenient, with unique scan results added as issues with proper labels, assignees, etc., into an issue tracker of your choice.

All you require is a config file with details setup for your preferred issue tracker. An example config file -

  severity: critical,high,medium

# jira contains configuration options for jira issue tracker
  # URL is the jira application url
  url: "https://test.atlassian.net"
  # account-id is the account-id of the jira user
  account-id: "xxxxxxxxxxxxxxx"
  # email is the email of the user for jira instance
  email: "test@test.com"
  # token is the token for jira instance.
  token: "xxxxxxxxxxxx"
  # project-name is the name of the project.
  project-name: "XXXX"
  # issue-type is the name of the created issue type
  issue-type: "Bug"

Running the following command will automatically run Nuclei with issue tracker reporting enabled and issues found will be sent to the server.

./nuclei -t <template> -l <input> -report-config <issue-tracker-config>.yaml

Tag Based Execution Support

Tag-based execution support has been added to Nuclei, allowing comma-separated tags to be added that uniquely identify a template. Users can then run templates without specifying their absolute paths, providing only tags.


An example template with tags in its info block:

id: CVE-2019-15043
  author: bing0o
  name: Grafana unauthenticated API
  severity: medium
  tags: cve,cve2019,grafana

The tags to run can be specified on the Nuclei command line as provided below:

./nuclei -tags cve -l urls.txt
./nuclei -tags cve2021 -l urls.txt
./nuclei -tags logs,backups -l urls.txt
./nuclei -tags lfi,rce -l urls.txt

Config File Support

Configuration file support has been added to Nuclei, allowing you to continue using your various Nuclei configurations for different projects.

A default global configuration file is written in $HOME/.config/nuclei/config.yaml and is always read by Nuclei. It can be used to define your global configurations, such as any custom HTTP headers, rate limits, etc.

Ideally, the user should create a separate copy of the configuration file with options tailored to that project. So, if the target requires you to send a custom header, you can add that header to the configuration file for that project, and it will always be sent to the target when running Nuclei with the mentioned configuration file.

Miscellaneous Changes

  1. The workflow engine has been reworked, removing the Tengo Scripting layer. This makes workflows simpler and faster, and also safer, by removing the need to sandbox the execution of workflows.
  2. Nuclei can now cluster identical HTTP Requests (previously limited to GET requests) in templates provided by the user, instead of making a new request each time. This reduces the scan time and also noise-generated by the scan.
  3. Passive HTTP Support has been added. This allows available Nuclei HTTP templates (limited to templates for root paths) to be run on the passively collected data (from tools like httpx, meg, etc) and perform post-processing on them! This feature is available with -passive flag in Nuclei.

What's next for Nuclei?

This release has been a big one, with lots of stuff being added. Moving ahead, with more stable architecture, we'll be working towards adding more features and other additions that optimize the scanning process.

We'll add more templates for these newly added protocols and work on more blog posts for these new features. We'll also add support for more protocols/features with the upcoming releases. A list of planned features is given below:

  1. Interact.sh Integration - Discover OOB bugs that cannot be detected by normal fuzzing. Catch remote interactions with built-in request correlation and matching for OOB payloads.
  2. More network protocols support - Support for protocols such as SSH, SMB, etc. will be added to Nuclei allowing more templates to be written for network security needs.
  3. Nuclei Live - A graphical builder for simplifying the template creation process.