Analysis Summary

Security researchers from Researcher recently uncovered a critical vulnerability within the Node.js continuous integration and deployment (CI/CD) infrastructure that exposed the popular JavaScript runtime to potential supply chain attacks. The issue stemmed from a Time-of-Check-Time-of-Use (TOCTOU) flaw in how GitHub Actions communicated with internal Jenkins agents. Specifically, attackers could exploit this gap by submitting a legitimate pull request, waiting for approval and label addition, and then pushing malicious code with a forged Git commit timestamp that predates the labeling event. This bypassed the checkCommitsAfterReviewOrLabel() function and allowed unreviewed code to run on Jenkins agents.

According to the Researcher, the implications of this vulnerability were severe. Attackers could execute arbitrary code on Jenkins, install persistence mechanisms, harvest credentials, and potentially move laterally through Node.js’s internal infrastructure. Even more dangerously, a similar issue was found in the “commit-queue” process, which could have enabled direct malicious code injection into the main branchposing a supply chain risk to millions of downstream Node.js users.

In response to the Researcher’s March 21 disclosure, the Node.js team acted swiftly. They restricted Jenkins access, identified and rebuilt 24 compromised machines, and began replacing date-based validation with SHA-based checks to prevent commit timestamp forgery. By April 1, they had also audited 140 Jenkins jobs, focusing on the most critical ones, and temporarily disabled vulnerable GitHub workflows until robust security patches were in place.

This incident highlights the growing security complexity in modern CI/CD environments, especially those using multiple DevOps platforms. Weak coordination between systems like GitHub Actions and Jenkins can create exploitable boundaries. The researcher emphasized that managing these interactions is difficult and often left to the end user. The Node.js team’s transparent response, swift remediation, and implementation of stricter verification mechanisms set a strong example for how open-source projects should handle security threats in interconnected development ecosystems.

Impact

• Code Execution
• Security Bypass
• Gain Access

Remediation

• Immediately limited access to internal Jenkins CI runs to prevent further exploitation.
• Identified and rebuilt 24 compromised Jenkins agents to ensure a clean, trusted environment.
• Eliminated reliance on Git commit timestamps by implementing secure SHA-based commit verification.
• Conducted a comprehensive audit of 140 Jenkins jobs, prioritizing those used most frequently, to detect and remediate vulnerabilities.
• Temporarily shut down workflows that were vulnerable to TOCTOU exploitation until security fixes were applied.
• Strengthened communication mechanisms between GitHub Actions and Jenkins to prevent future bypass of code review checks.
• Implemented stricter controls to verify that only reviewed and approved code can trigger CI/CD jobs.