The flaw, tracked as CVE-2021-23406, has a severity rating of 8.1 on the CVSS vulnerability rating system and affects Pac-Resolver versions prior to 5.0.0.
“This package is used for the support of PAC files in Pac-Proxy-Agent, which in turn is used in Proxy-Agent, which is then used everywhere as a standard package for automatic detection and configuration of the HTTP proxy in Node .js, “said Tim Perry in an article published late last month. “It’s very popular: Proxy-Agent is used everywhere, from the AWS CDK toolkit to the Mailgun SDK to the Firebase CLI. “
CVE-2021-23406 has to do with how Pac-Proxy-Agent does not sandbox PAC files properly, resulting in a scenario where an untrusted PAC file can be abused to completely exit the sandbox and execute arbitrary code on the underlying system operation. However, this requires the attacker to reside on the local network, have the ability to tamper with the contents of the PAC file, or chain it with a second vulnerability to modify the proxy configuration.
“This is a well-known attack on the VM module, and it works because Node doesn’t completely isolate the ‘sandbox’ context, because it doesn’t really try to provide serious isolation,” Perry said. “The solution is simple: use a real sandbox instead of the VM’s built-in module. “
Red Hat, in an independent review, said the vulnerable package ships with its Advanced Cluster Management for Kubernetes product, but noted that it is “currently not aware of the vector to trigger the vulnerability in the affected component, Additionally the affected component is protected by user authentication reducing the potential impact of this vulnerability. “