Is Your Build Cache Giving Every Developer Production Access?

Remote caching in build systems significantly accelerates CI/CD pipelines but introduces considerable security risks, especially through the CREEP (Cache Race-condition Exploit Enables Poisoning) vulnerability, identified as CVE-2025-36852 with a severity score of 9.4. This vulnerability allows malicious actors to inject code into production by exploiting the race condition between trusted and untrusted environments, such as the main branch and pull requests. The attack works by having an untrusted environment write a poisoned artifact to the cache before the trusted environment completes its build, leading to the deployment of compromised code. Traditional security measures often fail to detect this type of attack because they focus on storage and transmission rather than the creation of artifacts. To mitigate this risk, organizations can either disable cache writes from untrusted environments or implement a multi-tiered cache system that isolates cache writes from pull requests, although many build systems do not yet support these secure caching options. The text highlights the importance of auditing exposure to this vulnerability and suggests immediate actions for users, especially those utilizing Nx Cloud, which offers a safe multi-tiered cache solution.