Another widespread Supply-Chain attacks fixed, after CDNJS Bugs found in CloudFlare


Cloudflare, Web infrastructure and website security company last month fixed a critical vulnerability in its CDNJS library(cdnjs is a free and open-source CDN service trusted by over 12.7% of all websites on the internet.


The weakness in the CDNJS library update server that could potentially allow an attacker to execute arbitrary commands, leading to a complete compromise. While this vulnerability could be exploited without any special skills, it could impact many websites.


It is serving over 200 billion requests each month, powered by Cloudflare which makes it faster and easier to load library files on your websites and it is an open-source content delivery network (CDN) that serves about 4,041 JavaScript and CSS libraries, making it the second most popular CDN for JavaScript after Google Hosted Libraries.


This vulnerability was discovered and reported by security researcher RyotaK on April 6, 2021. There is no evidence of field attacks that exploit this flaw. Specifically, this vulnerability uses GitHub and npm to publish a package to Cloudflare’s CDNJS and uses it. Path traversal vulnerability, And finally trick the server into executing arbitrary code for remote code execution.


This vulnerability can be exploited without special skills, but it can affect many websites,” says Ryota K. “I feel very scared given that there are many vulnerabilities in the supply chain that are easy to exploit but have a large impact.