Security researchers discovered a critical TOCTOU vulnerability in Node.js’s CI/CD infrastructure that allowed attackers to execute malicious code on internal Jenkins agents. An adversary could submit a legitimate pull request, obtain approval and the request-ci label, then push new commits with forged timestamps to bypass code review checks. Once inside the pipeline, the malicious payload could establish persistence in the Jenkins environment, harvest internal credentials and move laterally across build and test systems. A parallel flaw in the commit-queue process might have enabled injection of unreviewed code directly into the main branch, threatening the entire Node.js supply chain. The Node.js security team swiftly restricted access to vulnerable Jenkins runs, rebuilt 24 compromised machines, disabled affected GitHub workflows and replaced timestamp validation with SHA-based checks. They also audited 140 Jenkins jobs to remediate gaps. Although no customer data breach was reported, the incident exposed critical internal infrastructure, credentials and trust in the build process, forcing rapid incident response and infrastructure overhaul.
Source: https://cybersecuritynews.com/hijacking-nodejs-jenkins-agents/
"id": "nod600050125",
"linkid": "node-js",
"type": "Vulnerability",
"date": "5/2025",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"