This NPM package with millions of weekly downloads fixed a remote code execution flaw

A very popular NPM package called ‘pac-resolver’ for the JavaScript programming language has been fixed to fix a remote code execution flaw that could affect many Node.js applications.

The flaw in the pac-resolver dependency was discovered by developer Tim Perry who notes that it could have allowed an attacker on a local network to remotely execute malicious code inside a Node.js process. whenever an operator tried to send an HTTP request. Note.js is the popular JavaScript runtime for running JavaScript web applications.

see also

Best VPN Services

Virtual private networks are essential for staying safe online, especially for remote workers and businesses. Here are your top picks for VPN service providers, and how to get set up quickly.

Read more

“This package is used for the support of PAC files in Pac-Proxy-Agent, which in turn is used in Proxy-Agent, which is then used everywhere as a standard package for automatic detection and configuration of the HTTP proxy in Node.js, ”Perry explains.

SEE: Developers, DevOps or cybersecurity? What are the top tech talent employers are looking for now?

PAC or “Proxy-Auto Config” refers to PAC files written in JavaScript to distribute complex proxy rules that tell an HTTP client which proxy to use for a given hostname, Perry notes, adding that they are largely used in business systems. They are distributed from local network servers and remote servers, often insecurely over HTTP rather than HTTPs.

This is a common problem because Proxy-Agent is used in Google’s Amazon Web Services Cloud Development Kit (CDK), Mailgun SDK, and Firebase CLI.

The package gets three million downloads per week and has 285,000 dependent public repositories on GitHub, Perry notes in a blog post.

The vulnerability was patched in version 5.0.0 of all of these packages recently and was marked as CVE-2021-23406 after its disclosure last week.

This means that many developers with Node.js apps are potentially affected and will need to update to version 5.0.

It affects anyone who depends on Pac-Resolver before version 5.0 in a Node.js application. This affects these apps if the developers have done one of the following three configurations:

  • Explicitly use PAC files for proxy configuration
  • Read and use the operating system proxy configuration in Node.js, on systems with WPAD enabled
  • Use proxy configuration (env vars, config files, remote config endpoints, command line arguments) from any other source that you would not trust 100% to run code freely on your computer

“In all of these cases, an attacker (by configuring a malicious PAC URL, intercepting PAC file requests with a malicious file, or using WPAD) can remotely execute arbitrary code on your computer each time you send an HTTP request. using this proxy setup, ”Perry notes.

Sam D. Gomez