miel.truyen/nx
1
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity

fix(nx-dev): small adjustment to the blog post

Browse Source
This commit is contained in:
Victor Savkin 2025-06-19 19:01:17 -04:00
parent 9e9345b5e1
commit bd898d3220
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
docs/blog/2025-06-12-cve-2025-36852-critical-cache-poisoning-vulnerability-creep.md
View File

@ -18,6 +18,10 @@ The CREEP vulnerability allows any contributor with pull request privileges to i
- Nx Cloud is **NOT** affected due to its security architecture
- Review this post to determine if your self-hosted cache solution is vulnerable
{% callout type="warn" title="DIY implementations are vulnerable" %}
DIY remote caches are likely vulnerable. Scanners won't catch all affected implementations, so understanding the vulnerability is crucial.
{% /callout %}
## **Understanding the Vulnerability**
A typical remote-cache flow using storage services follows these steps:
@ -93,5 +97,6 @@ CVE-2025-36852 represents a serious threat to organizations using vulnerable cac
- If your organization uses bucket-based remote caching: immediate action is required
- If your organization uses other self-hosted remote cache solutions: immediate review required (most self-hosted caching solutions across many build systems—not just JavaScript, but also Java—are affected)
- If your organization uses custom tasks runners to implement remote caching: immediate review required
- If using Nx without remote caching: no action is required
- If using Nx with Nx Cloud: [Review your settings](/ci/concepts/cache-security#use-scoped-tokens-in-ci). If you are using default settings, no actions should be required.