The issue affects CDNJS, a content delivery network designed to accelerate the delivery of JavaScript libraries.
The company Cloudflare, which provides CDN services, has fixed a dangerous vulnerability that threatened to compromise about 12.7% of all sites on the Internet.
According to cybersecurity researcher RyotaK, the problem affects CDNJS, a content delivery network designed to accelerate the delivery of JavaScript libraries, and the vulnerability itself lies in the possibility of replacing JavaScript libraries served by websites and executing arbitrary code on CDN servers.
While analyzing cdnjs.com, the researcher noticed that users can request libraries that are not yet in CDNJS. In addition, it turned out that cdnjs / bot-ansible and cdnjs / tools contain auto-updating scripts to ensure that library updates are automatically downloaded.
CDNJS downloads packages from Git or an NPM repository, and allows any site to take advantage of the Cloudflare content delivery network for free to speed up the loading of JavaScript libraries. At the same time, to unpack NPM packages in tgz archives, the archive / tar module in the Go language is used, which produces a list of files without path normalization.
As part of the experiment, RyotaK published a test library called hey-sven in CDNJS and added new versions of hey-sven to the NPM repository. In one of the versions, the researcher injected hidden in ZIP / TGZ archives Bash scripts that exploit the directory traversal vulnerability (Path Traversal).
Moreover, the EA was able to inject GITHUB_REPO_API_KEY (an API key that grants write permissions) and WORKERS_KV_API_TOKEN (can be used to modify libraries in the Cloudflare Workers cache) into scripts issued by the CDN (cdnjs.cloudflare.com).
“By combining these permissions, it is possible to modify a key part of CDNJS, such as CDNJS origin data, KV cache, and even the CDNJS website,” the researcher explained.
RyotaK informed Cloudflare of an issue under the HackerOne Platform Vulnerability Disclosure Program in April this year, and it was fixed within 24 hours.