CVE-2025-36852

Name of the Vulnerable Software and Affected Versions The product name cannot be determined.

Description A critical security issue exists in remote cache extensions for common build systems that utilize bucket-based remote cache, such as those using Amazon S3 or Google Cloud Storage. This issue allows contributors with pull request privileges to inject compromised artifacts from untrusted environments into trusted production environments without detection. The issue exploits a design flaw in the "first-to-cache wins" principle, where artifacts built in untrusted environments can poison the cache used by trusted environments. This attack bypasses traditional security measures, including encryption, access controls, and checksum validation, because the poisoning occurs during the artifact construction phase, before any security measures are applied.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.