Last month, Cloudflare patched a critical vulnerability in its CDNJS library, which is utilised by 12.7 percent of all websites on the internet.
CDNJS is a free and open-source Content Delivery Network (CDN) that serves 4,041 JavaScript and CSS libraries, making it the second most popular CDN for JavaScript after Google Hosted Libraries.
The flaw involves a vulnerability in the CDNJS library update server that might allow an attacker to run arbitrary commands, potentially resulting in a complete compromise.
On April 6, 2021, security researcher RyotaK identified and reported the vulnerability. There is no evidence that this vulnerability has been exploited in the wild.
The vulnerability works by leveraging GitHub and npm to publish packages to Cloudflare’s CDNJS, then using a path traversal vulnerability to mislead the server into running arbitrary code, resulting in remote code execution.
It’s worth noting that the CDNJS infrastructure contains features for automating library updates by periodically running scripts on the server to download appropriate files from the respective user-managed Git repository or npm package registry.
By uncovering an issue with how the mechanism sanitizes package paths, RyotaK found that “arbitrary code can be executed after performing path traversal from the .tgz file published to npm and overwriting the script that is executed regularly on the server.”