IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Cloudflare flaw could have led to series of supply-chain attacks

Hackers were able to exploit a path traversal vulnerability to compromise CDNJS and target thousands of sites

A vulnerability in the CDNJS library update server, which is owned by Cloudflare and used by 12.7% of all websites on the internet, could have been abused to execute arbitrary commands and seize control of the CDNJS. 

CDNJS is an open source software content delivery network and is the second most popular after Google Hosted Libraries, which itself is used by 12.8% of sites across the web. The resource hosts thousands of JavaScipt and CSS libraries that sites can adopt to embed features and tools.

The flaw, present in the update server, however, may have led to hackers executing arbitrary commands and entirely compromising the CDNJS catalogue, according to the security researcher known as Ryotak. They reported to flaw to Cloudflare on 6 April, and there’s no evidence so far that it’s been exploited in the wild.

The mechanism for exploitation centres on publishing packages to the CDNJS using GitHub and npm, and using this route to trigger a path traversal vulnerability and fooling the server into executing arbitrary code. Attackers can, therefore, achieve remote code execution.

A path traversal vulnerability allows an attacker to access files on your web server without appropriate access or permission, either by tricking the web server or the web application running on it to return files that exist outside of the web root folder.

Related Resource

Five questions to ask before you upgrade to a modern SIEM

Do you need a better defense strategy?

White title against a dark blue background - whitepaper from IBMFree download

The CDNJS infrastructure also includes a feature to automate library updates by running scripts on the server to download relevant files from the user-managed Git repository or npm package registry.

An attack could involve cyber criminals publishing a new version of a specially-crafted package, which would be carried by the update server for publishing. This would copy the contents of the malicious package into a regularly executed script file hosted on the server.

In practice, this means compromising CDNJS may have led to a series of supply-chain attacks that granted hackers automated access to all sites that use the JavaScript and CSS libraries that comprise it.

The researcher demonstrated the vulnerability can be exploited in a proof-of-concept that involved uploading a file to an npm registry, then waiting for the CDNJS library udpate server to process the crafted file. The contents of the file were written into a regulatory executed script file and the arbitrary was executed.

“While this vulnerability could be exploited without any special skills, it could impact many websites,” they said. “Given that there are many vulnerabilities in the supply chain, which are easy to exploit but have a large impact, I feel that it’s very scary.”

After Cloudflare was alerted to the flaw on 6 April, the firm applied a complete fix on 3 June. 

Featured Resources

Mastering retention

Turning user behaviour insights into retention strategies

Free Download

Dell PowerEdge with AMD

IT applications and infrastructure are the prime catalyst for new revenue creation

Free Download

Building for success with off-premises private cloud

Leveraging co-location facilities to execute your cloud strategy

Free Download

Cyber resiliency and end-user performance

Reduce risk and deliver greater business success with cyber-resilience capabilities

Free Download

Most Popular

46 US states call for Meta monopoly lawsuit to be reinstated
mergers and acquisitions

46 US states call for Meta monopoly lawsuit to be reinstated

20 Sep 2022
Anonymous hacks Iranian government and state broadcasters
cyber attacks

Anonymous hacks Iranian government and state broadcasters

22 Sep 2022
Why collaboration is key to digital transformation

Why collaboration is key to digital transformation

13 Sep 2022