Supply-Chain Attack Vulnerability Affecting Nx Build System Package by Nrwl
CVE-2025-10894

9.6CRITICAL

Key Information:

Status
Multicluster Global Hub
Openshift Serverless
Red Hat Advanced Cluster Management For Kubernetes 2
Vendor
CVE Published:
24 September 2025

What is CVE-2025-10894?

A recent supply-chain attack compromised the Nx build system package and its associated plugins, allowing attackers to inject malicious code. The tampered package was distributed via the npm registry, where it was designed to scan the file system for user credentials. This sensitive data was subsequently transferred to a GitHub repository under the affected users' accounts, putting their security at risk. Users of Nx are strongly advised to review their installations and take necessary actions to mitigate exposure.

References

https://access.redhat.com/security/cve/CVE-2025-10894
vdb-entryx_refsource_REDHAT
https://access.redhat.com/security/supply-chain-attacks-N...
https://bugzilla.redhat.com/show_bug.cgi?id=2396282
issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-10894 : Supply-Chain Attack Vulnerability Affecting Nx Build System Package by Nrwl