CVE-2025-36852
BaseFortify
Publication date: 2025-06-10
Last updated on: 2025-06-12
Assigner: HeroDevs
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-829 | The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a critical security flaw in remote cache extensions used by common build systems that rely on bucket-based remote caches like Amazon S3 or Google Cloud Storage. It allows any contributor with pull request privileges to inject compromised artifacts from untrusted environments into trusted production environments without detection. The issue arises from a design flaw in the "first-to-cache wins" principle, where artifacts built in untrusted environments can poison the cache used by trusted environments. This bypasses traditional security measures such as encryption, access controls, and checksum validation because the poisoning happens during the artifact construction phase before these measures are applied.
How can this vulnerability impact me? :
This vulnerability can allow attackers with pull request access to inject malicious or compromised artifacts into production environments, potentially leading to the deployment of untrusted or harmful code. This can result in unauthorized code execution, data breaches, system compromise, and loss of trust in the software supply chain. Since the attack bypasses traditional security controls, it can be difficult to detect and mitigate, increasing the risk of severe security incidents.