CVE-2025-36852

Source
https://cve.org/CVERecord?id=CVE-2025-36852
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-36852.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-36852
Aliases
Published
2025-06-10T19:23:33.956Z
Modified
2026-07-15T01:49:00.501786110Z
Severity
  • 9.4 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P/AU:Y/R:U/V:C/RE:M/U:Red CVSS Calculator
Summary
Build Cache Poisoning via Untrusted Pull Requests
Details

A critical security vulnerability exists in remote cache extensions for common build systems utilizing bucket-based remote cache (such as those using Amazon S3, Google Cloud Storage, or similar object storage) that allows any contributor with pull request privileges to inject compromised artifacts from an untrusted environment into trusted production environments without detection. 

The vulnerability exploits a fundamental design flaw in the "first-to-cache wins" principle, where artifacts built in untrusted environments (feature branches, pull requests) can poison the cache used by trusted environments (protected branches, production deployments). 

This attack bypasses all traditional security measures including encryption, access controls, and checksum validation because the poisoning occurs during the artifact construction phase, before any security measures are applied.

Database specific
{
    "cwe_ids": [
        "CWE-829"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/36xxx/CVE-2025-36852.json",
    "cna_assigner": "HeroDevs"
}
References

Affected packages

Git / github.com/niklaspor/nx-remotecache-azure

Affected ranges

Type
GIT
Repo
https://github.com/niklaspor/nx-remotecache-azure
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

Other
0
v0.*
v0.0.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-36852.json"