Security News > 2021 > July > CloudFlare CDNJS Bug Could Have Led to Widespread Supply-Chain Attacks
Web infrastructure and website security company Cloudflare last month fixed a critical vulnerability in its CDNJS library that's used by 12.7% of all websites on the internet.
CDNJS is a free and open-source content delivery network that serves about 4,041 JavaScript and CSS libraries, making it the second most popular CDN for JavaScript after Google Hosted Libraries.
The weakness concerned an issue in the CDNJS library update server that could potentially allow an attacker to execute arbitrary commands, leading to a complete compromise.
Specifically, the vulnerability works by publishing packages to Cloudflare's CDNJS using GitHub and npm, using it to trigger a path traversal vulnerability, and ultimately trick the server into executing arbitrary code, thus achieving remote code execution.
It's worth noting that the CDNJS infrastructure includes features to automate library updates by periodically running scripts on the server to download relevant files from the respective user-managed Git repository or npm package registry.
In other words, the goal of the attack is to publish a new version of a specially-crafted package to the repository, which is then picked up the CDNJS library update server for publishing, in the process copying the contents of the malicious package into a regularly executed script file hosted on the server, thereby gaining arbitrary code execution.