This NPM package with millions of weekly downloads fixed a remote code execution flaw
“This package is used for the support of PAC files in Pac-Proxy-Agent, which in turn is used in Proxy-Agent, which is then used everywhere as a standard package for automatic detection and configuration of the HTTP proxy in Node.js, âPerry explains.
SEE: Developers, DevOps or cybersecurity? What are the top tech talent employers are looking for now?
This is a common problem because Proxy-Agent is used in Google’s Amazon Web Services Cloud Development Kit (CDK), Mailgun SDK, and Firebase CLI.
The package gets three million downloads per week and has 285,000 dependent public repositories on GitHub, Perry notes in a blog post.
The vulnerability was patched in version 5.0.0 of all of these packages recently and was marked as CVE-2021-23406 after its disclosure last week.
This means that many developers with Node.js apps are potentially affected and will need to update to version 5.0.
It affects anyone who depends on Pac-Resolver before version 5.0 in a Node.js application. This affects these apps if the developers have done one of the following three configurations:
- Explicitly use PAC files for proxy configuration
- Read and use the operating system proxy configuration in Node.js, on systems with WPAD enabled
- Use proxy configuration (env vars, config files, remote config endpoints, command line arguments) from any other source that you would not trust 100% to run code freely on your computer
“In all of these cases, an attacker (by configuring a malicious PAC URL, intercepting PAC file requests with a malicious file, or using WPAD) can remotely execute arbitrary code on your computer each time you send an HTTP request. using this proxy setup, âPerry notes.