Critical bug reported in NPM package with millions of weekly downloads


A widely used NPM package called “Pac-Resolver” for the JavaScript programming language has been fixed with a fix for a high severity remote code execution vulnerability that could be abused to execute malicious code in computers. Node.js applications whenever HTTP requests are sent.

The flaw, tracked as CVE-2021-23406, has a severity rating of 8.1 on the CVSS vulnerability rating system and affects Pac-Resolver versions prior to 5.0.0.

GitHub automatic backups

A proxy automatic configuration (PAC) file is a JavaScript function that determines whether web browser requests should be routed directly to the destination or forwarded to a web proxy server for a given host name. PAC files are the way proxy rules are distributed in corporate environments.

“This package is used for the support of PAC files in Pac-Proxy-Agent, which in turn is used in Proxy-Agent, which is then used everywhere as a standard package for automatic detection and configuration of the HTTP proxy in Node .js, “said Tim Perry in an article published late last month. “It’s very popular: Proxy-Agent is used everywhere, from the AWS CDK toolkit to the Mailgun SDK to the Firebase CLI. “

CVE-2021-23406 has to do with how Pac-Proxy-Agent does not sandbox PAC files properly, resulting in a scenario where an untrusted PAC file can be abused to completely exit the sandbox and execute arbitrary code on the underlying system operation. However, this requires the attacker to reside on the local network, have the ability to tamper with the contents of the PAC file, or chain it with a second vulnerability to modify the proxy configuration.

Prevent data breaches

“This is a well-known attack on the VM module, and it works because Node doesn’t completely isolate the ‘sandbox’ context, because it doesn’t really try to provide serious isolation,” Perry said. “The solution is simple: use a real sandbox instead of the VM’s built-in module. “

Red Hat, in an independent review, said the vulnerable package ships with its Advanced Cluster Management for Kubernetes product, but noted that it is “currently not aware of the vector to trigger the vulnerability in the affected component, Additionally the affected component is protected by user authentication reducing the potential impact of this vulnerability. “


Sam D. Gomez