Security researchers discovered a critical TOCTOU vulnerability in Node.js’s CI/CD infrastructure that allowed attackers to execute malicious code on internal Jenkins agents. An adversary could submit a legitimate pull request, obtain approval and the request-ci label, then push new commits with forged timestamps to bypass code review checks. Once inside the pipeline, the malicious payload could establish persistence in the Jenkins environment, harvest internal credentials and move laterally across build and test systems. A parallel flaw in the commit-queue process might have enabled injection of unreviewed code directly into the main branch, threatening the entire Node.js supply chain. The Node.js security team swiftly restricted access to vulnerable Jenkins runs, rebuilt 24 compromised machines, disabled affected GitHub workflows and replaced timestamp validation with SHA-based checks. They also audited 140 Jenkins jobs to remediate gaps. Although no customer data breach was reported, the incident exposed critical internal infrastructure, credentials and trust in the build process, forcing rapid incident response and infrastructure overhaul.
Source: https://cybersecuritynews.com/hijacking-nodejs-jenkins-agents/
TPRM report: https://scoringcyber.rankiteo.com/company/node-js
"id": "nod600050125",
"linkid": "node-js",
"type": "Vulnerability",
"date": "5/2025",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'industry': 'Software Development',
'name': 'Node.js',
'type': 'Open Source Project'}],
'attack_vector': 'CI/CD Pipeline',
'description': 'Security researchers discovered a critical TOCTOU '
'vulnerability in Node.js’s CI/CD infrastructure that allowed '
'attackers to execute malicious code on internal Jenkins '
'agents. An adversary could submit a legitimate pull request, '
'obtain approval and the request-ci label, then push new '
'commits with forged timestamps to bypass code review checks. '
'Once inside the pipeline, the malicious payload could '
'establish persistence in the Jenkins environment, harvest '
'internal credentials and move laterally across build and test '
'systems. A parallel flaw in the commit-queue process might '
'have enabled injection of unreviewed code directly into the '
'main branch, threatening the entire Node.js supply chain. The '
'Node.js security team swiftly restricted access to vulnerable '
'Jenkins runs, rebuilt 24 compromised machines, disabled '
'affected GitHub workflows and replaced timestamp validation '
'with SHA-based checks. They also audited 140 Jenkins jobs to '
'remediate gaps. Although no customer data breach was '
'reported, the incident exposed critical internal '
'infrastructure, credentials and trust in the build process, '
'forcing rapid incident response and infrastructure overhaul.',
'impact': {'systems_affected': ['Internal Jenkins agents',
'Build and test systems']},
'response': {'containment_measures': ['Restricted access to vulnerable '
'Jenkins runs',
'Rebuilt 24 compromised machines',
'Disabled affected GitHub workflows'],
'remediation_measures': ['Replaced timestamp validation with '
'SHA-based checks',
'Audited 140 Jenkins jobs to remediate '
'gaps']},
'title': 'TOCTOU Vulnerability in Node.js CI/CD Infrastructure',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'TOCTOU Vulnerability'}