Connect with us

Hi, what are you looking for?


Application Security

Critical Flaw in Pac-Resolver NPM Package Affects 290,000 Repositories

A high severity vulnerability recently addressed in popular NPC package Pac-Resolver could be exploited to execute arbitrary code remotely.

A high severity vulnerability recently addressed in popular NPC package Pac-Resolver could be exploited to execute arbitrary code remotely.

The vulnerability (CVE-2021-23406, CVSS score of 8.1) was discovered and reported by Tim Perry on May 30. The issue was addressed with the release of Pac-Resolver 5.0.0 in late July, but information on it wasn’t made public until last week.

In a blog post, Perry explains that the security hole can be exploited by an attacker on the local network to execute arbitrary code remotely inside the Node.js process when the user attempts to send an HTTP request.

A PAC file is essentially a piece of JavaScript code that informs an HTTP client which proxy to use for a given hostname and can be used for the distribution of complex proxy rules, given that a single file could map multiple links to different proxies.

Perry discovered the issue in Pac-Proxy-Agent, which relies on two packages – Pac-Resolver and Degenerator – to build the PAC function, without offering a security mechanism for the execution of supplied code.

Pac-Resolver was designed to generate an asynchronous resolver function from a PAC (Proxy Auto-Config) file. The package has roughly 3 million weekly downloads, with nearly 290,000 GitHub repositories depending on it.

“If you accept and use an untrusted PAC file, this is very bad. Every time you make a request using the PAC file, it can run arbitrary code and do anything on your system,” the researcher says.  

For successful exploitation, however, an attacker needs to be on the local network and also needs a second flaw, such as a vulnerable configuration, to set configuration values.

Advertisement. Scroll to continue reading.

“Anybody using a Node.js CLI tool designed to support enterprise proxies in a coffee shop, hotel or airport is potentially vulnerable, for example,” the researcher explains.

The attacker would need to provide a malicious PAC file that could break out of the VM module sandbox and then convince the potential victim to use the PAC file as their proxy configuration, which would allow the attacker to run arbitrary code on their machine.

To patch the issue, the VM2 npm module was implemented. Not only was it designed to run untrusted code, but is also hardened to block sandbox escapes.

“If you depend on Pac-Resolver, and there’s any way you might be using PAC files in your proxy configuration: update to Pac-Resolver v5+ now,” the researcher recommends.

Related: Cisco, Sonatype and Others Join Open Source Security Foundation

Related: New Google Tool Helps Developers Visualize Open Source Dependencies

Related: CodeCov Discloses Ominous Software Supply Chain Hack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

Jill Passalacqua has been appointed Chief Legal Officer at autonomous security solutions provider

Cisco has appointed Sean Duca as CISO and Practice Leader for the APJC region.

More People On The Move

Expert Insights