Nx Identifies Critical Security Vulnerability in Build Cache Systems Affects Thousands of Organizations Worldwide

GILBERT, Ariz.--(BUSINESS WIRE)--Security researchers at Nx have disclosed a critical vulnerability affecting build systems with remote caching capabilities, potentially impacting thousands of organizations that rely on these systems for CI/CD pipeline performance. The vulnerability, designated CVE-2025-36852 and nicknamed "CREEP" (Cache Race-condition Exploit Enables Poisoning), carries a severity score of 9.4 and allows any developer with pull request access to inject malicious code into production artifacts.

Historical breaches like Target (2013), SolarWinds (2020), and Codecov (2021) demonstrate how compromised build processes can lead to devastating outcomes.

Share

The Vulnerability

Remote caching in CI is widely adopted across the software industry to dramatically improve build performance to drastically reduce build times. However, the CREEP vulnerability exploits a fundamental flaw in how most organizations implement these systems, creating an unintended pathway for untrusted code to contaminate production deployments.

"Most organizations are unknowingly giving every PR author the power to poison production without leaving a trace," explains the Nx research team. "While companies invest millions in security infrastructure including firewalls, access controls, and code reviews, their remote cache can create a bypass to all of it."

Industry Impact

The vulnerability affects organizations using any build system with remote caching where untrusted environments can write to the same cache used by trusted environments.

"This isn't just a theoretical risk," according to Victor Savkin, CTO, Nx. "Historical breaches like Target (2013), SolarWinds (2020), and Codecov (2021) demonstrate how compromised build processes can lead to devastating outcomes."

The vulnerability is particularly concerning because it can be exploited by individuals with legitimate access. Further, the attacker can erase all traces of the exploit.

Immediate Recommendations

Security researchers recommend that all organizations using build systems with remote caching immediately:

1. Review CVE-2025-36852 details and technical analysis
2. Assess their current caching implementation against the three mitigation options
3. Determine acceptable risk tolerance based on security and compliance requirements
4. Implement appropriate safeguards based on their chosen option
5. Review access controls for all repositories and build systems

Expert Commentary

"The CREEP vulnerability highlights a critical blind spot in modern DevOps security," said Victor Savkin. "Organizations have focused heavily on securing the delivery pipeline while inadvertently creating vulnerabilities in the build process itself. It's like poisoning food while it's being cooked rather than during delivery."

The vulnerability underscores the need for security measures that address the entire software supply chain, not just the final deployment stages.

About the Research

The CREEP vulnerability was discovered by researchers at Nx through analysis of various build systems that support remote caching. The research team emphasizes that while remote caching remains critical for build performance, it must be implemented with the same security rigor applied to production access controls.

Detailed technical analysis and remediation guidance are available at https://nx.dev/blog/creep-vulnerability-build-cache-security.

Note to editors: CVE-2025-36852 has been assigned and published by the CVE Program.