Cloudflare Workers KV security notice

If you are a user of Cloudflare Workers KV, like me, then you will have received an email alerting you to a vulnerability that has recently been discovered and fixed, on 14th October.  They’d actually deployed a fix within 4 hours of being notified via their bug bounty program on HackerOne, which is impressive to say the least.

In short, each Workers KV has a namespace ID, which is a random 122 bit value.  If you have made this publicly available anywhere, such as source code on Github, then this could have been used in order to not only access your datastore, but also modify key-value pairs.

In my recent posts on Cloudflare full page caching (part two and part three) I used the Workers KV to store a cache of the HTML source code for my website.  In this example, if someone had access to my namespace ID they would have been able to pollute this cache and effectively modify the contents of my website, inserting malware, malvertising, or anything else.

Just to be clear, they didn’t, this is just a hypothetical.

However, if you have any reason to believe that your namespace ID may have been made public, you are advised to check the integrity of the data in the datastore.  Also if you have anything like access tokens stored in there, these should be expired and rotated in case they have been stolen.