Virtual Event Today: Cloud & Data Security Summit - Join Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Critical Flaw in Pac-Resolver NPM Package Affects 290,000 Repositories

A high severity vulnerability recently addressed in popular NPC package Pac-Resolver could be exploited to execute arbitrary code remotely.

A high severity vulnerability recently addressed in popular NPC package Pac-Resolver could be exploited to execute arbitrary code remotely.

The vulnerability (CVE-2021-23406, CVSS score of 8.1) was discovered and reported by Tim Perry on May 30. The issue was addressed with the release of Pac-Resolver 5.0.0 in late July, but information on it wasn’t made public until last week.

In a blog post, Perry explains that the security hole can be exploited by an attacker on the local network to execute arbitrary code remotely inside the Node.js process when the user attempts to send an HTTP request.

A PAC file is essentially a piece of JavaScript code that informs an HTTP client which proxy to use for a given hostname and can be used for the distribution of complex proxy rules, given that a single file could map multiple links to different proxies.

Perry discovered the issue in Pac-Proxy-Agent, which relies on two packages – Pac-Resolver and Degenerator – to build the PAC function, without offering a security mechanism for the execution of supplied code.

Pac-Resolver was designed to generate an asynchronous resolver function from a PAC (Proxy Auto-Config) file. The package has roughly 3 million weekly downloads, with nearly 290,000 GitHub repositories depending on it.

Advertisement. Scroll to continue reading.

“If you accept and use an untrusted PAC file, this is very bad. Every time you make a request using the PAC file, it can run arbitrary code and do anything on your system,” the researcher says.  

For successful exploitation, however, an attacker needs to be on the local network and also needs a second flaw, such as a vulnerable configuration, to set configuration values.

“Anybody using a Node.js CLI tool designed to support enterprise proxies in a coffee shop, hotel or airport is potentially vulnerable, for example,” the researcher explains.

The attacker would need to provide a malicious PAC file that could break out of the VM module sandbox and then convince the potential victim to use the PAC file as their proxy configuration, which would allow the attacker to run arbitrary code on their machine.

To patch the issue, the VM2 npm module was implemented. Not only was it designed to run untrusted code, but is also hardened to block sandbox escapes.

“If you depend on Pac-Resolver, and there’s any way you might be using PAC files in your proxy configuration: update to Pac-Resolver v5+ now,” the researcher recommends.

Related: Cisco, Sonatype and Others Join Open Source Security Foundation

Related: New Google Tool Helps Developers Visualize Open Source Dependencies

Related: CodeCov Discloses Ominous Software Supply Chain Hack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Jazz has named Sean Robinson, Rickie Goyal, Danielle Guetta, Shani Nago, and Lior Magram as VPs and Michael Calev as COO.

AJ Shipley has been appointed Chief Product Officer at CrowdStrike.

Brinqa has named Ron Dovich as Chief AI and Automation Officer, David Allen as CTO, Steve Biagioni as CFO, and James Walta as VP of Product.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.