There is a known CVE-2025-1695 regarding NGINX Unit with the following description.
In NGINX Unit before version 1.34.2 with the Java Language Module in use, undisclosed requests can lead to an infinite loop and cause an increase in CPU resource utilization. This vulnerability allows a remote attacker to cause a degradation that can lead to a limited denial-of-service (DoS).
This CVE is also mentioned here.
TPCF customers may have concern if this vulnerability exists in the NGINX buildpack for TPCF. And some scanner tools could also report this vulnerability against NGINX buildpack for TPCF. For example,
This CVE-2025-1695 doesn't affect NGINX buildpack for TPCF.
As it's mentioned in NGINX Unit blog, this CVE was addressed since NGINX Unit 1.34.2. However, NGINX and NGINX Unit are different things, which have different version trees as shown in their websites respectively.
https://nginx.org/en/download.html
https://github.com/nginx/unit/releases
NGNIX buildpack for TPCF uses regular NGINX, not NGINX Unit. So report of this vulnerability from any scanner tool against NGINX buildpack for TPCF would be a false-positive report.