While analyzing cdnjs.com, the researcher noticed that users can request libraries that are not yet in CDNJS. In addition, it turned out that cdnjs / bot-ansible and cdnjs / tools contain auto-updating scripts to ensure that library updates are automatically downloaded.
As part of the experiment, RyotaK published a test library called hey-sven in CDNJS and added new versions of hey-sven to the NPM repository. In one of the versions, the researcher injected hidden in ZIP / TGZ archives Bash scripts that exploit the directory traversal vulnerability (Path Traversal).
Moreover, the EA was able to inject GITHUB_REPO_API_KEY (an API key that grants write permissions) and WORKERS_KV_API_TOKEN (can be used to modify libraries in the Cloudflare Workers cache) into scripts issued by the CDN (cdnjs.cloudflare.com).
“By combining these permissions, it is possible to modify a key part of CDNJS, such as CDNJS origin data, KV cache, and even the CDNJS website,” the researcher explained.
RyotaK informed Cloudflare of an issue under the HackerOne Platform Vulnerability Disclosure Program in April this year, and it was fixed within 24 hours.