Security scanners may flag the presence of [email protected], which contains a known vulnerability. This package is bundled with the TAS Portal Application as an npm offline cache artifact.

In Tanzu Application Service (TAS), CVE-2025-29775 affects the TAS Portal Application, which is currently in Beta and only available in TAS 4.x releases.
TAS 6.x and TAS 10.x are not affected, as the TAS Portal Application was discontinued in these versions.

To mitigate the issue, follow these steps:

• Remove the vulnerable xml-crypto package during VM creation using a BOSH runtime configuration.
  
• Manually remove the package from running VMs (if not recreating).
  
• Delete the TAS Portal application from your foundation.
  
• Be aware of expected errors if you attempt to re-push the TAS Portal errand after mitigation.
  
  

Optionally, clean up the runtime configuration after TAS has been upgraded to the 6.x or 10.x where the package is removed.

Steps to Remove xml-crypto

1. Delete the TAS Portal Application

Run the following command to remove the vulnerable TAS Portal (tas-portal) Application:

cf delete tas-portal -r -f

2. Create the Runtime Config File

Create a file named xml-cve.yaml and update the deployment name to match your foundation:

---
releases:
  - name: os-conf
    version: 22.3.1
    url: https://bosh.io/d/github.com/cloudfoundry/os-conf-release?v=22.3.1
    sha1: 9276888fc54d22950045a247d348142757ae9129
addons:
  - name: xml-CVE-2025-29775
    include:
      deployments:
        - cf-1<deployment_name>  # Replace with your deployment name
      instance_groups:
        - clock_global
    jobs:
      - name: pre-start-script
        release: os-conf
        properties:
          description: |
            Deletes the xml-crypto-2.1.3 file only on the Clock_Global VMs during VM creation.
          script: |-
            #!/bin/bash
            sudo rm -rf /var/vcap/packages/tas-portal/npm-packages-offline-cache/xml-crypto-2.1.3.tgz

3. Apply the Runtime Configuration

bosh update-runtime-config xml-cve.yaml --name=xml-CVE-2025-29775

Then, in Ops Manager, perform Apply Changes on the TAS Tile.

4. Manually Remove the Package from Existing VMs

If VMs are already running and you prefer not to recreate them immediately, you can remove the file manually using SSH:

bosh -d <deployment_name> ssh -c "sudo rm -rf /var/vcap/packages/tas-portal/npm-packages-offline-cache/xml-crypto-2.1.3.tgz" clock_global

Expected Behavior if TAS Portal is Re-Pushed

Once the above steps are completed and you perform Apply Changes with the push-tas-portal errand selected, you will encounter the following failure:

error Can't make a request in offline mode ("https://build-artifactory.eng.vmware.com/artifactory/api/npm/npm/xml-crypto/-/xml-crypto-2.1.3.tgz")
info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.

FAILED

This is expected, as the required xml-crypto package was removed as part of the CVE mitigation process.

Optional: Clean Up the Runtime Configuration

Once your TAS foundation is upgraded to 6.x or 10.x the vulnerability is no longer present, you may clean up the applied runtime configuration to keep your deployment tidy.

Steps to Remove the Runtime Config

1. List Existing BOSH Configurations:
   

   bosh configs

      2. Delete the Specific Configuration:

Identify the config with the name xml-CVE-2025-29775 and delete it:

bosh delete-config --type=runtime --name=xml-CVE-2025-29775

Outcome

After completing these steps:

• The [email protected] package is removed from your TAS environment.
  
• The TAS Portal app (if present) is deleted.
  
• Security scans should no longer report this CVE.
  
• The runtime configuration can optionally be cleaned up once no longer needed.