Security News > 2021 > July > Critical Cloudflare CDN flaw allowed compromise of 12% of all sites
Cloudflare has fixed a critical vulnerability in its free and open-source CDNJS potentially impacting 12.7% of all websites on the internet.
CDNJS serves millions of websites with over 4,000 JavaScript and CSS libraries stored publicly on GitHub, making it the second-largest JavaScript CDN. The vulnerability exploits comprised publishing packages to Cloudflare's CDNJS using GitHub and npm, to trigger a Path Traversal vulnerability, and eventually remote code execution.
If exploited, the vulnerability would lead to a complete compromise of CDNJS infrastructure.
This week, security researcher RyotaK explains how he was able to find a method to completely compromise Cloudflare's CDNJS network while researching supply-chain attacks.
While glancing over cdnjs.com, RyotaK noticed that for libraries that did not yet exist in CDNJS, he could suggest the addition of a new library via CDNJS' GitHub repository.
A Cloudflare spokesperson told BleepingComputer that the vulnerability has not been exploited and that they are grateful to the researcher for reporting the issue.