This npm package could have brought down Cloudflare's entire CDN and millions of websites

July 16, 2021 By Ax Sharma

5 minute read time

Cloudflare has patched a critical vulnerability in its open source content delivery network, CDNJS. The issue threatened the security, integrity, and availability of the wider supply chain.

Millions of websites that make up 12.7% of the internet use the CDNJS service for delivering popular JavaScript and CSS libraries.

As I reported today, security researcher RyotaK discovered he could upload a specifically crafted npm package with a Path Traversal or "ZIP Slip" exploit to achieve remote code execution on Cloudflare's JavaScript content delivery network.

The researcher demonstrated how an attacker could have altered any library served by CDNJS or taken down the entire CDN infrastructure in a software supply chain attack.

The npm package used by RyotaK is called hey-sven and has since been tracked by Sonatype under sonatype-2021-0829.

Sonatype has previously discussed the ZIP Slip vulnerability both in 2018, and most recently this year, in an analysis from our security researcher Juan Aguirre.

This particular vulnerability, however, could be exploited by anyone looking to publish a new library to CDNJS using GitHub or npm.

Adding a new library to CDN with a path traversal exploit

In case of Cloudflare's CDNJS, anyone could request to have a new package added to the CDN by submitting the package to Cloudflare's GitHub repository:

CDNJS search page showing the option to add new libraries that do not yet exist on the network.

Image: CDNJS search page showing the option to add new libraries that do not yet exist on the network.

However, the author of this newly published library could choose to release subsequent versions of the library on the npm registry. And these would automatically be fetched by CDNJS' bots.

For example, RyotaK was able to successfully publish a test library "hey-sven" on CDNJS by first submitting the library to the CDN's GitHub repo, and subsequently releasing future versions on the corresponding npm account:

Image of how to successfully publish a test library “hey-sven” on CDNJS by first submitting the library to the CDN’s GitHub repo, and subsequently releasing future versions on the corresponding npm account:

As confirmed by the Sonatype security research team, versions 1.0.1 and 1.0.2 of "hey-sven" that appeared on npm contained proof-of-concept Bash exploits:

Picture of what's inside the what’s inside these Bash scripts

For those curious about what's inside these Bash scripts, Sonatype security researcher Sebastián Castro took a quick peak at these and found benign text:

 contents of the bash scripts (Sonatype)

Image: contents of the bash scripts (Sonatype)

That's because, as RyotaK told me, this was a Proof of Concept (PoC) package that he had already given Cloudflare a heads-up about. Out of caution, the researcher has not yet released the functional exploit that disclosed the CDN's API keys (mentioned below).

The vulnerability works as follows: as soon as CDNJS fetches a new release from npm its automated bots would unpack (unzip) the new version of the library, published as an npm package. That's because npm packages are really TAR.GZ archives.

Consequently, if a path traversal or ZIP Slip vulnerability exists on the server, an attacker could read or overwrite existing files.

As soon as RyotaK's PoC package was retrieved from npm by CDNJS' automated bots, the CDN spilled out secret API keys at a URL where scripts are supposed to be served: https://cdnjs.cloudflare.com/... (complete URL redacted).

Output from an initial PoC provided the researcher with secret keys

Output from an initial PoC provided the researcher with secret keys Source: BleepingComputer

  1. GITHUB_REPO_API_KEY obtained from this exploit comes with "write" permissions, and an attacker could have used it to virtually tamper with any library present on CDNJS or the CDN’s entire website.
  2. WORKERS_KV_API_TOKEN secret obtained could enable adversaries to purge or alter any libraries living in the caches of Cloudflare Workers.

The researcher explained, "by combining these permissions, the core part of CDNJS, such as the origin data of CDNJS, the KV cache, and even the CDNJS website, could be completely tampered [with]."

A potential software supply chain disaster thwarted

RyotaK responsibly reported the vulnerability to Cloudflare in April 2021 and worked with their security teams over the next few weeks. This action helped safeguard the sanctity of the CDNJS ecosystem and the wider software supply chain.

Despite this, CDNs remain an attractive target for adversaries as they host thousands of commonly used libraries in active use by millions of websites. Should even one popular library be altered by a malicious entity, there are big rewards for an attacker and major problems for CDN users.

For example, in 2019, Volusion CDN's compromise led to a Magecart supply chain attack against thousands of e-commerce websites relying on the network.

This latest incident serves as another reminder of how even decades-old vulnerabilities and exploits like path traversal or ZIP Slip can re-emerge. Should bad actors get their hands on them, the consequences are unimaginable.

The widespread adoption of open source continues to grow. With more and more enterprises taking the open source software route for both their products and the components they consume, so does the attack surface.

Tags: vulnerabilities, Supply Chain Intelligence, featured, Industry commentary

Written by Ax Sharma

Ax is a Security Researcher at Sonatype and Engineer who holds a passion for perpetual learning. His works and expert analyses have frequently been featured by leading media outlets. Ax's expertise lies in security vulnerability research, reverse engineering, and software development. In his spare time, he loves exploiting vulnerabilities ethically and educating a wide range of audiences.