This npm Package Could Have Brought Down Cloudflare’s Entire CDN and Millions of Websites

by Ax Sharma on July 16, 2021

Cloudflare has patched a critical vulnerability in its open source content delivery network, CDNJS. The issue threatened the security, integrity, and availability of the wider supply chain.

Millions of websites that make up 12.7% of the internet use the CDNJS service for delivering popular JavaScript and CSS libraries.

As I reported today, security researcher RyotaK discovered he could upload a specifically crafted npm package with a Path Traversal or “ZIP Slip” exploit to achieve remote code execution on Cloudflare’s JavaScript content delivery network.

The researcher demonstrated how an attacker could have altered any library served by CDNJS or taken down the entire CDN infrastructure in a supply chain attack.

Sponsorships Available

The npm package used by RyotaK is called hey-sven and has since been tracked by Sonatype under sonatype-2021-0829.

Sonatype has previously discussed the ZIP Slip vulnerability both in 2018, and most recently this year, in an analysis from our security researcher Juan Aguirre.

This particular vulnerability, however, could be exploited by anyone looking to publish a new library to CDNJS using GitHub or npm.

Adding a new library to CDN with a Path Traversal exploit

In case of Cloudflare’s CDNJS, anyone could request to have a new package added to the CDN by submitting the package to Cloudflare’s GitHub repository:

Image: CDNJS search page showing the option to add new libraries that do not yet exist on the network.

However, the author of this newly published library could choose to release subsequent versions of the library on the npm registry. And these would automatically be fetched by CDNJS’ bots.

For example, RyotaK was able to successfully publish a test library “hey-sven” on CDNJS by first submitting the library to the CDN’s GitHub repo, and subsequently releasing future versions on the corresponding npm account: