What's Changed
⚠️ Breaking Change: Signed templates required for JavaScript protocol
Starting with v3.11.0, custom templates that use the javascript: protocol must be digitally signed before Nuclei will load or execute them. Unsigned JavaScript templates are now skipped during template loading and when referenced from workflows.
Why this change
This release continues the security hardening started in v3.10.0 (sandbox enforcement, network policy checks, stricter code-template handling, YAML include protections, and related fixes in #7469). The JavaScript protocol exposes Go-backed modules through Nuclei's JS runtime, which significantly increases attack surface compared with request-only templates. Requiring signatures brings JavaScript templates in line with the existing protections for code-protocol templates.
Who is affected
| Scenario | Impact |
|---|---|
| Default scans using nuclei-templates | No action needed - official templates are pre-signed and verified with ProjectDiscovery's public key |
Custom/private templates using javascript: |
Action required - sign templates before use |
Templates using only flow: (e.g. flow: http(1)) without javascript: |
No change |
| Workflows referencing unsigned JavaScript sub-templates | Those sub-templates are skipped |
What to do
Sign your custom templates with:
nuclei -sign -t /path/to/your-template.yamlSee the Template Signing documentation for key generation, verification, and signing templates that reference external JavaScript or code files.
🔒 Security
- feat(templates): require signatures for javascript templates by @dwisiswant0 in #7514
Other Changes
- bump x/crypto and go-pkcs12 by @dogancanbakir in #7516
- general maintenance and cleanup by @Mzack9999 in #7469
Full Changelog: v3.10.0...v3.11.0