From 9b756bef7ea4c3a023c73ac15fed9dc9717f018e Mon Sep 17 00:00:00 2001
From: Benjamin Cabanes <3447705+bcabanes@users.noreply.github.com>
Date: Wed, 18 Jun 2025 14:17:10 -0400
Subject: [PATCH] docs(nx-dev): add CVE reference on remote cache (#31639)
Improved the clarity of caching risks, added detailed explanations on CREEP vulnerability, and linked to the CVE-2025-36852 publication.
---
.../azure-cache/azure-cache-plugin.md | 4 +-
.../packages/gcs-cache/gcs-cache-plugin.md | 4 +-
.../packages/s3-cache/s3-cache-plugin.md | 4 +-
.../shared-fs-cache/shared-fs-cache-plugin.md | 8 +--
.../running-tasks/self-hosted-caching.md | 8 ++-
nx-dev/ui-remote-cache/src/lib/faq.tsx | 65 +++++++++++++------
.../src/lib/remote-cache-solutions.tsx | 31 +++++----
7 files changed, 78 insertions(+), 46 deletions(-)
diff --git a/docs/shared/packages/azure-cache/azure-cache-plugin.md b/docs/shared/packages/azure-cache/azure-cache-plugin.md
index 0e0cac027f..1e73b7ec6a 100644
--- a/docs/shared/packages/azure-cache/azure-cache-plugin.md
+++ b/docs/shared/packages/azure-cache/azure-cache-plugin.md
@@ -17,9 +17,9 @@ If you are an enterprise and **data privacy and security is a concern**, [reach
{% /callout %}
-{% callout type="info" title="Self-hosted caching is now free" %}
+{% callout type="warning" title="Bucket-based caches are vulnerable to poisoning and often prohibited in organizations" %}
-Self-hosted caching is **now free for everyone** to use.
+CREEP (CVE-2025-36852) is a critical vulnerability in bucket-based self-hosted remote caches. It lets attackers with PR access poison production builds via a race condition during artifact creation—before security checks can catch it. [Learn more](/blog/cve-2025-36852-critical-cache-poisoning-vulnerability-creep)
{% /callout %}
diff --git a/docs/shared/packages/gcs-cache/gcs-cache-plugin.md b/docs/shared/packages/gcs-cache/gcs-cache-plugin.md
index ad8318657e..1db60fc379 100644
--- a/docs/shared/packages/gcs-cache/gcs-cache-plugin.md
+++ b/docs/shared/packages/gcs-cache/gcs-cache-plugin.md
@@ -17,9 +17,9 @@ If you are an enterprise and **data privacy and security is a concern**, [reach
{% /callout %}
-{% callout type="info" title="Self-hosted caching is now free" %}
+{% callout type="warning" title="Bucket-based caches are vulnerable to poisoning and often prohibited in organizations" %}
-Self-hosted caching is **now free for everyone** to use.
+CREEP (CVE-2025-36852) is a critical vulnerability in bucket-based self-hosted remote caches. It lets attackers with PR access poison production builds via a race condition during artifact creation—before security checks can catch it. [Learn more](/blog/cve-2025-36852-critical-cache-poisoning-vulnerability-creep)
{% /callout %}
diff --git a/docs/shared/packages/s3-cache/s3-cache-plugin.md b/docs/shared/packages/s3-cache/s3-cache-plugin.md
index d55c97732a..6232fe8964 100644
--- a/docs/shared/packages/s3-cache/s3-cache-plugin.md
+++ b/docs/shared/packages/s3-cache/s3-cache-plugin.md
@@ -16,9 +16,9 @@ If you are an enterprise and **data privacy and security is a concern**, [reach
**Are you an OSS project?** Nx Cloud is free for OSS. [Reach out here](/pricing#oss).
{% /callout %}
-{% callout type="info" title="Self-hosted caching is now free" %}
+{% callout type="warning" title="Bucket-based caches are vulnerable to poisoning and often prohibited in organizations" %}
-Self-hosted caching is **now free for everyone** to use.
+CREEP (CVE-2025-36852) is a critical vulnerability in bucket-based self-hosted remote caches. It lets attackers with PR access poison production builds via a race condition during artifact creation—before security checks can catch it. [Learn more](/blog/cve-2025-36852-critical-cache-poisoning-vulnerability-creep)
{% /callout %}
diff --git a/docs/shared/packages/shared-fs-cache/shared-fs-cache-plugin.md b/docs/shared/packages/shared-fs-cache/shared-fs-cache-plugin.md
index d322dff8c0..2ec5f993d5 100644
--- a/docs/shared/packages/shared-fs-cache/shared-fs-cache-plugin.md
+++ b/docs/shared/packages/shared-fs-cache/shared-fs-cache-plugin.md
@@ -7,10 +7,6 @@ description: The @nx/shared-fs-cache plugin enables you to use a shared file sys
The `@nx/shared-fs-cache` plugin enables you to host your remote cache on a shared file system directory. While you're responsible for implementing the actual directory sharing mechanism, the plugin configures Nx to read from both your local cache and the shared directory.
-{% callout type="warning" title="Potential Cache Poisoning" %}
-Using a shared file system folder for remote caching introduces the risk of [cache poisoning](/troubleshooting/unknown-local-cache). To mitigate this risk, consider using [Nx Replay](/ci/features/remote-cache) instead.
-{% /callout %}
-
{% callout type="deepdive" title="Free managed remote cache with Nx Cloud" %}
Note, you can get started for free with a **fully managed remote caching powered by Nx Cloud**. It comes with a generous Hobby plan that is enough for most small teams. [Learn more here](/nx-cloud).
@@ -21,9 +17,9 @@ If you are an enterprise and **data privacy and security is a concern**, [reach
{% /callout %}
-{% callout type="info" title="Self-hosted caching is now free" %}
+{% callout type="warning" title="Bucket-based caches are vulnerable to poisoning and often prohibited in organizations" %}
-Self-hosted caching is **now free for everyone** to use.
+CREEP (CVE-2025-36852) is a critical vulnerability in bucket-based self-hosted remote caches. It lets attackers with PR access poison production builds via a race condition during artifact creation—before security checks can catch it. [Learn more](/blog/cve-2025-36852-critical-cache-poisoning-vulnerability-creep)
{% /callout %}
diff --git a/docs/shared/recipes/running-tasks/self-hosted-caching.md b/docs/shared/recipes/running-tasks/self-hosted-caching.md
index edace461dd..7de3cea5b9 100644
--- a/docs/shared/recipes/running-tasks/self-hosted-caching.md
+++ b/docs/shared/recipes/running-tasks/self-hosted-caching.md
@@ -10,7 +10,13 @@ Nx offers different ways to enable self-hosted remote caching for your workspace
- **Using the official Nx packages** that come with ready-to-use adapters for AWS S3, GCP, Azure, and more.
- **Build your own cache server** by following the Nx Remote Caching OpenAPI spec.
-{% callout type="note" title="Free managed remote cache with Nx Cloud" %}
+{% callout type="warning" title="Bucket-based caches are vulnerable to poisoning and often prohibited in organizations" %}
+
+CREEP (CVE-2025-36852) is a critical vulnerability in bucket-based self-hosted remote caches. It lets attackers with PR access poison production builds via a race condition during artifact creation—before security checks can catch it. [Learn more](/blog/cve-2025-36852-critical-cache-poisoning-vulnerability-creep)
+
+{% /callout %}
+
+{% callout type="note" title="Free & secure managed remote cache with Nx Cloud" %}
Note, you can get started for free with a **fully managed remote caching powered by Nx Cloud**. It comes with a generous Hobby plan that is enough for most small teams. [Learn more here](/nx-cloud).
diff --git a/nx-dev/ui-remote-cache/src/lib/faq.tsx b/nx-dev/ui-remote-cache/src/lib/faq.tsx
index b92c0cb7e7..56c82ad493 100644
--- a/nx-dev/ui-remote-cache/src/lib/faq.tsx
+++ b/nx-dev/ui-remote-cache/src/lib/faq.tsx
@@ -41,6 +41,7 @@ export function Faq(): ReactElement {
documented here.
@@ -68,6 +69,32 @@ export function Faq(): ReactElement {
+ Learn more here.
+
+
+ ),
+ },
+ {
+ question:
+ 'What cache poisoning vulnerabilities affect self-hosted solutions?',
+ answerJson:
+ 'CREEP (Cache Race-condition Exploit Enables Poisoning) is a critical vulnerability (CVE-2025-36852) that affects self-hosted remote cache solutions. It allows any developer with pull request access to inject malicious code into your production builds through a race condition in the caching system. The attack is undetectable because it happens during artifact creation, before any security measures take effect.',
+ answerUi: (
+
+ CREEP (Cache Race-condition Exploit Enables Poisoning) is a critical
+ vulnerability (CVE-2025-36852) that affects self-hosted remote cache
+ solutions. It allows any developer with pull request access to
+ inject malicious code into your production builds through a race
+ condition in the caching system. The attack is undetectable because it
+ happens during artifact creation, before any security measures take
+ effect.{' '}
+
Learn more here.
@@ -91,6 +118,7 @@ export function Faq(): ReactElement {
Learn more here.
@@ -111,37 +139,34 @@ export function Faq(): ReactElement {
answerUi: (
<>
- Nx Cloud includes{' '}
- enterprise-grade security features designed to give
- organizations more control over access and data protection.
+ Nx Cloud includes enterprise-grade security features designed to
+ give organizations more control over access and data protection.
- Access Management: Nx Cloud supports{' '}
- individual user authentication tied to personal
- accounts, enabling precise control over who can access cached
- data. If a user leaves the company or changes roles, their access
- can be revoked immediately — without impacting others.
+ Access Management: Nx Cloud supports individual user
+ authentication tied to personal accounts, enabling precise control
+ over who can access cached data. If a user leaves the company or
+ changes roles, their access can be revoked immediately — without
+ impacting others.
- Personal Access Tokens: Teams can issue and
- revoke multiple access tokens, allowing fine-grained control over
- automation and integrations.
+ Personal Access Tokens: Teams can issue and revoke multiple access
+ tokens, allowing fine-grained control over automation and
+ integrations.
- SOC 2 Compliance: Nx Cloud is SOC 2 certified,
- demonstrating a high standard for security, availability, and
- confidentiality.
+ SOC 2 Compliance Nx Cloud is SOC 2 certified, demonstrating a high
+ standard for security, availability, and confidentiality.
- Secure Deployment Options: Nx Cloud though{' '}
- Nx Enterprise, includes{' '}
- single-tenant or on-prem options for teams
- needing full control over their data storage and access policies.
+ Secure Deployment Options Nx Cloud though Nx Enterprise includes{' '}
+ single-tenant or on-prem options for teams needing full control
+ over their data storage and access policies.
diff --git a/nx-dev/ui-remote-cache/src/lib/remote-cache-solutions.tsx b/nx-dev/ui-remote-cache/src/lib/remote-cache-solutions.tsx
index a11f5183e8..fccb7fb68f 100644
--- a/nx-dev/ui-remote-cache/src/lib/remote-cache-solutions.tsx
+++ b/nx-dev/ui-remote-cache/src/lib/remote-cache-solutions.tsx
@@ -4,7 +4,7 @@ import {
CheckCircleIcon,
ExclamationCircleIcon,
} from '@heroicons/react/24/solid';
-import { ButtonLink, SectionHeading } from '@nx/nx-dev/ui-common';
+import { ButtonLink, SectionHeading, Strong } from '@nx/nx-dev/ui-common';
import { sendCustomEvent } from '@nx/nx-dev/feature-analytics';
import Link from 'next/link';
@@ -20,6 +20,7 @@ export function RemoteCacheSolutions(): ReactElement {
Free remote caching solutions for any team.
+
-
- Not recommended for organizations requiring HIPAA or SOC 2
- compliance (
+
+
+ Bucket-based solutions are vulnerable to cache poisoning
+ attacks. Most regulated organizations prohibit their
+ use.
+ {' '}
+ Consult your security team before using. (
)
-
+