From bd898d3220eb43d1a41d737f8dddcdd4d592c5e2 Mon Sep 17 00:00:00 2001 From: Victor Savkin Date: Thu, 19 Jun 2025 19:01:17 -0400 Subject: [PATCH] fix(nx-dev): small adjustment to the blog post --- ...025-36852-critical-cache-poisoning-vulnerability-creep.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/blog/2025-06-12-cve-2025-36852-critical-cache-poisoning-vulnerability-creep.md b/docs/blog/2025-06-12-cve-2025-36852-critical-cache-poisoning-vulnerability-creep.md index 927a84c894..de6d2ed790 100644 --- a/docs/blog/2025-06-12-cve-2025-36852-critical-cache-poisoning-vulnerability-creep.md +++ b/docs/blog/2025-06-12-cve-2025-36852-critical-cache-poisoning-vulnerability-creep.md @@ -18,6 +18,10 @@ The CREEP vulnerability allows any contributor with pull request privileges to i - Nx Cloud is **NOT** affected due to its security architecture - Review this post to determine if your self-hosted cache solution is vulnerable +{% callout type="warn" title="DIY implementations are vulnerable" %} +DIY remote caches are likely vulnerable. Scanners won't catch all affected implementations, so understanding the vulnerability is crucial. +{% /callout %} + ## **Understanding the Vulnerability** A typical remote-cache flow using storage services follows these steps: @@ -93,5 +97,6 @@ CVE-2025-36852 represents a serious threat to organizations using vulnerable cac - If your organization uses bucket-based remote caching: immediate action is required - If your organization uses other self-hosted remote cache solutions: immediate review required (most self-hosted caching solutions across many build systems—not just JavaScript, but also Java—are affected) +- If your organization uses custom tasks runners to implement remote caching: immediate review required - If using Nx without remote caching: no action is required - If using Nx with Nx Cloud: [Review your settings](/ci/concepts/cache-security#use-scoped-tokens-in-ci). If you are using default settings, no actions should be required.