Security News > 2021 > July > Critical Cloudflare CDN flaw allowed compromise of 12% of all sites

Critical Cloudflare CDN flaw allowed compromise of 12% of all sites
2021-07-16 10:29

Cloudflare has fixed a critical vulnerability in its free and open-source CDNJS potentially impacting 12.7% of all websites on the internet.

CDNJS serves millions of websites with over 4,000 JavaScript and CSS libraries stored publicly on GitHub, making it the second-largest JavaScript CDN. The vulnerability exploits comprised publishing packages to Cloudflare's CDNJS using GitHub and npm, to trigger a Path Traversal vulnerability, and eventually remote code execution.

If exploited, the vulnerability would lead to a complete compromise of CDNJS infrastructure.

This week, security researcher RyotaK explains how he was able to find a method to completely compromise Cloudflare's CDNJS network while researching supply-chain attacks.

While glancing over cdnjs.com, RyotaK noticed that for libraries that did not yet exist in CDNJS, he could suggest the addition of a new library via CDNJS' GitHub repository.

A Cloudflare spokesperson told BleepingComputer that the vulnerability has not been exploited and that they are grateful to the researcher for reporting the issue.


News URL

https://www.bleepingcomputer.com/news/security/critical-cloudflare-cdn-flaw-allowed-compromise-of-12-percent-of-all-sites/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Cloudflare 18 1 13 27 3 44