Cloudflare's Handling of an RCE Vulnerability in cdnjs

A recent blog post highlighted a vulnerability in cdnjs, a platform that utilizes Cloudflare's services for hosting JavaScript, CSS, images, and fonts assets with over 4,000 libraries available. The issue allowed arbitrary code execution, potentially enabling modification of assets. Upon receiving the report, Cloudflare immediately took action to block exploitation, investigate potential abuse, and remediate the vulnerability. No existing libraries were modified using this exploit, and all assets hosted on cdnjs remained intact. The incident began with a package published by RyotaK exploiting the vulnerability, which led to GitHub alerting Cloudflare of exposed secrets. Within an hour, Cloudflare disabled the auto-update service and revoked all credentials. A new version of the auto-update tool was released within 24 hours. The security team reviewed access logs, API token usage, and file modification metadata, concluding that only RyotaK exploited this vulnerability during his research on test files. To prevent similar issues from being exploited in the future, Cloudflare implemented an AppArmor profile for its auto-update tool and redesigned the entire pipeline to isolate each step and library it processes. The company remains committed to maintaining a strong security posture through regular internal reviews, third-party audits, and encouraging vulnerability disclosure reports via HackerOne.