Security researchers have identified critical vulnerabilities in the Node.js CI/CD infrastructure, exposing internal Jenkins agents to remote code execution and raising the risk of supply chain attacks.
These flaws stemmed from the integration and communication gaps between multiple DevOps platforms-specifically GitHub Apps, GitHub Actions workflows, and Jenkins pipelines-that collectively manage Node.js’ continuous integration processes.
Exploiting CI/CD Pipeline Vulnerabilities
Node.js relies on a triplet of systems to manage its CI/CD pipelines: a GitHub App for pull request (PR) labeling, GitHub Actions workflows for triggering pipelines, and Jenkins agents for executing test builds.
.png
)
Researchers found that the interplay between these platforms created exploitable security gaps.
Attackers could potentially gain unauthorized code execution on Jenkins agents, which run various jobs and sometimes handle multiple tasks without terminating.
This opens the door for lateral movement, credential theft, and persistence within Node.js’ internal infrastructure.
The immediate risks included compromise of Jenkins credentials, unauthorized code execution, and the possibility of injecting unreviewed code into the Node.js main branch, threatening the security of downstream users.
Attack Method: Git Timestamp Forgery
The core vulnerability involved forging Git commit timestamps to bypass Node.js’ security checks.
The system used a function to ensure that the most recent commit in a PR was made before a maintainer applied the “request-ci” label, thereby preventing unreviewed code from being executed in Jenkins pipelines.
However, researchers demonstrated that attackers could manipulate Git’s timestamp metadata using environment variables such as GIT_AUTHOR_DATE and GIT_COMMITTER_DATE. This allowed an attacker to:
- Submit a legitimate PR that triggers the necessary labels.
- Wait for maintainer review and the addition of the “request-ci” label.
- Push a new, malicious commit with a forged timestamp predating the label event.
- Have Jenkins pipelines execute this unreviewed code, which could include payloads for remote code execution.
The attack was confirmed by submitting a benign PR, waiting for approval, and then injecting a payload with a forged timestamp.
This payload was executed by Jenkins agents, demonstrating the feasibility of remote code execution and the potential for further exploitation, such as lateral movement and credential harvesting.
Node.js Response and Remediation
Upon receiving the vulnerability report, Node.js acted swiftly to contain the threat. The ability to start new Jenkins jobs was temporarily disabled while a remediation plan was developed.
Node.js rebuilt potentially compromised Jenkins systems and implemented a crucial change: replacing date-based validation with approved SHA checks, effectively closing the vulnerabilities in both the “request-ci” and “commit-queue” processes.
A comprehensive audit across 140 Jenkins jobs was conducted, with priority given to the most frequently used systems.
This incident highlights the complexity and risk inherent in multi-platform CI/CD environments, especially when relying on easily manipulated metadata for security decisions.
Node.js’ rapid response and transparency in addressing the issue exemplify best practices in open-source security, helping to safeguard the broader ecosystem from potential supply chain attacks.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
