CVE-2025-36852: Critical Cache Poisoning Vulnerability Affects Multiple Build Systems

CREEP (Cache Race-condition Exploit Enables Poisoning), identified as CVE-2025-36852, is a critical security vulnerability affecting remote cache plugins in various build systems, with a severity score of 9.4. It enables attackers with pull request privileges to inject compromised artifacts into production environments by exploiting a race condition during the artifact construction phase, bypassing traditional security measures like encryption and hashing. This vulnerability primarily impacts bucket-based caching solutions such as S3 and GCS, but can also affect other systems with similar architectures, leading to code execution, data exfiltration, and lateral movement. Nx Cloud's architecture, which includes hierarchical caching and integration with version control systems, inherently prevents this attack by enforcing strict cache scoping and permissions. Organizations using vulnerable caching systems are advised to review their setups and take immediate action to mitigate risks, especially if relying on self-hosted cache solutions where PRs and main branches share caches, while Nx users without remote caching or using default settings with Nx Cloud may not require changes.