Cloudflare, Web infrastructure and website security company last month fixed a critical vulnerability in its CDNJS library(cdnjs is a free and open-source CDN service trusted by over 12.7% of all websites on the internet.
The weakness in the CDNJS library update server that could potentially allow an attacker to execute arbitrary commands, leading to a complete compromise. While this vulnerability could be exploited without any special skills, it could impact many websites.
This vulnerability was discovered and reported by security researcher RyotaK on April 6, 2021. There is no evidence of field attacks that exploit this flaw. Specifically, this vulnerability uses GitHub and npm to publish a package to Cloudflare’s CDNJS and uses it. Path traversal vulnerability, And finally trick the server into executing arbitrary code for remote code execution.
This vulnerability can be exploited without special skills, but it can affect many websites,” says Ryota K. “I feel very scared given that there are many vulnerabilities in the supply chain that are easy to exploit but have a large impact.