[ffjffsfr]

Great work finding this out, it was really fascinating read. Just wondering how do you publish compromised package to npm? CDN had to install some npm package right? Publishing some package is easy, but how do you publish something that is downloaded by Cloudflare? If it is so easy to publish compromised npm package and it ends up in cloudflare CDN it is quite scary, even if underlying security loophole related to overriding paths by tar is fixed.

[sudhirj]

The vulnerability is the ability to poison the cache of some popular library once I steam the WORKERS_KV token. I could choose the most popular library, say Bootstrap, and change it to something else. People who loaded the script with SRI on browsers that support SRI would notice a problem, but could still target millions of others.

[SahAssar]

cdnjs and similar CDNs should be considered mirrors of what they are serving, so they don't do any security checks on it. It is best not to use these services, especially since cache-partitioning and http2 makes them obsolete.