Clarifying impact of CVE-2025-1695 on NGINX buildpack for TPCF
search cancel

Clarifying impact of CVE-2025-1695 on NGINX buildpack for TPCF

book

Article ID: 414719

calendar_today

Updated On:

Products

VMware Tanzu Application Service

Issue/Introduction

There is a known CVE-2025-1695 regarding NGINX Unit with the following description.

In NGINX Unit before version 1.34.2 with the Java Language Module in use, undisclosed requests can lead to an infinite loop and cause an increase in CPU resource utilization. This vulnerability allows a remote attacker to cause a degradation that can lead to a limited denial-of-service (DoS).  

This CVE is also mentioned here

TPCF customers may have concern if this vulnerability exists in the NGINX buildpack for TPCF. And some scanner tools could also report this vulnerability against NGINX buildpack for TPCF. For example,

Resolution

This CVE-2025-1695 doesn't affect NGINX buildpack for TPCF. 

As it's mentioned in NGINX Unit blog, this CVE was addressed since NGINX Unit 1.34.2. However, NGINX and NGINX Unit are different things, which have different version trees as shown in their websites respectively.

https://nginx.org/en/download.html

https://github.com/nginx/unit/releases

NGNIX buildpack for TPCF uses regular NGINX, not NGINX Unit. So report of this vulnerability from any scanner tool against NGINX buildpack for TPCF would be a false-positive report.