How to fix EUVD-2025-17809?

Within 24 hours: Disable remote caching in all build pipelines or isolate caches by environment/branch with air-gapped storage. Within 7 days: Conduct forensic audit of recent production deployments to identify compromised artifacts; implement mandatory artifact re-builds from protected branches only. Within 30 days: Redesign cache architecture to prevent cross-environment poisoning, implement cryptographic artifact signing with verification at deployment, and require code review approval before any cache writes.

Is Google affected by EUVD-2025-17809?

Any employee with pull request access can inject malicious code into production artifacts through poisoned build caches, bypassing all security controls.

EUVD-2025-17809

| CVE-2025-36852 CRITICAL

2025-06-10 36c7be3b-2937-45df-85ea-ca7133ea542c

GHSA-rrr2-jcr8-7q3x

Authentication Bypass Google

9.4

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P/AU:Y/R:U/V:C/RE:M/U:Red

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Mar 14, 2026 - 19:49 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 19:49 euvd

EUVD-2025-17809

CVE Published

Jun 10, 2025 - 20:15 nvd

CRITICAL 9.4

DescriptionNVD

A critical security vulnerability exists in remote cache extensions for common build systems utilizing bucket-based remote cache (such as those using Amazon S3, Google Cloud Storage, or similar object storage) that allows any contributor with pull request privileges to inject compromised artifacts from an untrusted environment into trusted production environments without detection.

The vulnerability exploits a fundamental design flaw in the "first-to-cache wins" principle, where artifacts built in untrusted environments (feature branches, pull requests) can poison the cache used by trusted environments (protected branches, production deployments).

This attack bypasses all traditional security measures including encryption, access controls, and checksum validation because the poisoning occurs during the artifact construction phase, before any security measures are applied.

AnalysisAI

CVE-2025-36852 is a security vulnerability (CVSS 9.4) that allows any contributor with pull request privileges. Critical severity with potential for significant impact on affected systems.

Technical ContextAI

Vulnerability type not specified by vendor. CVSS 9.4 indicates critical severity with likely remote exploitation vector.

RemediationAI

Monitor vendor channels for patch availability.

EUVD-2025-17809 vulnerability details – vuln.today

Back

EUVD-2025-17809

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code