Security researchers at Nx have disclosed a critical vulnerability affecting build systems with remote caching capabilities, potentially impacting thousands of organizations that rely on these systems for CI/CD pipeline performance. The vulnerability, designated CVE-2025-36852 and nicknamed “CREEP” (Cache Race-condition Exploit Enables Poisoning), carries a severity score of 9.4 and allows any developer with pull request access to inject malicious code into production artifacts.
The Vulnerability
Remote caching in CI is widely adopted across the software industry to dramatically improve build performance to drastically reduce build times. However, the CREEP vulnerability exploits a fundamental flaw in how most organizations implement these systems, creating an unintended pathway for untrusted code to contaminate production deployments.
Cyber Technology Insights : Introducing Lat61 by Point Wild: A Unified Platform of Configurable Cybersecurity Tools
“Most organizations are unknowingly giving every PR author the power to poison production without leaving a trace,” explains the Nx research team. “While companies invest millions in security infrastructure including firewalls, access controls, and code reviews, their remote cache can create a bypass to all of it.”
Industry Impact
The vulnerability affects organizations using any build system with remote caching where untrusted environments can write to the same cache used by trusted environments.
“This isn’t just a theoretical risk,” according to Victor Savkin, CTO, Nx. “Historical breaches like Target (2013), SolarWinds (2020), and Codecov (2021) demonstrate how compromised build processes can lead to devastating outcomes.”
The vulnerability is particularly concerning because it can be exploited by individuals with legitimate access. Further, the attacker can erase all traces of the exploit.
Cyber Technology Insights : PRE Security Expands Global Executive Team and Launches Multi-Tenant Platform
Immediate Recommendations
Security researchers recommend that all organizations using build systems with remote caching immediately:
Review CVE-2025-36852 details and technical analysis
Assess their current caching implementation against the three mitigation options
Determine acceptable risk tolerance based on security and compliance requirements
Implement appropriate safeguards based on their chosen option
Review access controls for all repositories and build systems
Expert Commentary
“The CREEP vulnerability highlights a critical blind spot in modern DevOps security,” said Victor Savkin. “Organizations have focused heavily on securing the delivery pipeline while inadvertently creating vulnerabilities in the build process itself. It’s like poisoning food while it’s being cooked rather than during delivery.”
The vulnerability underscores the need for security measures that address the entire software supply chain, not just the final deployment stages.
Cyber Technology Insights : OPSWAT and SentinelOne Form OEM Partnership to Boost AI‑Driven Multi‑Layer Malware Detection
To participate in our interviews, please write to our CyberTech Media Room at sudipto@intentamplify.com
Source: businesswire
