Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Critical Flaw in Pac-Resolver NPM Package Affects 290,000 Repositories

A high severity vulnerability recently addressed in popular NPC package Pac-Resolver could be exploited to execute arbitrary code remotely.

A high severity vulnerability recently addressed in popular NPC package Pac-Resolver could be exploited to execute arbitrary code remotely.

The vulnerability (CVE-2021-23406, CVSS score of 8.1) was discovered and reported by Tim Perry on May 30. The issue was addressed with the release of Pac-Resolver 5.0.0 in late July, but information on it wasn’t made public until last week.

In a blog post, Perry explains that the security hole can be exploited by an attacker on the local network to execute arbitrary code remotely inside the Node.js process when the user attempts to send an HTTP request.

A PAC file is essentially a piece of JavaScript code that informs an HTTP client which proxy to use for a given hostname and can be used for the distribution of complex proxy rules, given that a single file could map multiple links to different proxies.

Perry discovered the issue in Pac-Proxy-Agent, which relies on two packages – Pac-Resolver and Degenerator – to build the PAC function, without offering a security mechanism for the execution of supplied code.

Pac-Resolver was designed to generate an asynchronous resolver function from a PAC (Proxy Auto-Config) file. The package has roughly 3 million weekly downloads, with nearly 290,000 GitHub repositories depending on it.

“If you accept and use an untrusted PAC file, this is very bad. Every time you make a request using the PAC file, it can run arbitrary code and do anything on your system,” the researcher says.  

For successful exploitation, however, an attacker needs to be on the local network and also needs a second flaw, such as a vulnerable configuration, to set configuration values.

“Anybody using a Node.js CLI tool designed to support enterprise proxies in a coffee shop, hotel or airport is potentially vulnerable, for example,” the researcher explains.

The attacker would need to provide a malicious PAC file that could break out of the VM module sandbox and then convince the potential victim to use the PAC file as their proxy configuration, which would allow the attacker to run arbitrary code on their machine.

To patch the issue, the VM2 npm module was implemented. Not only was it designed to run untrusted code, but is also hardened to block sandbox escapes.

“If you depend on Pac-Resolver, and there’s any way you might be using PAC files in your proxy configuration: update to Pac-Resolver v5+ now,” the researcher recommends.

Related: Cisco, Sonatype and Others Join Open Source Security Foundation

Related: New Google Tool Helps Developers Visualize Open Source Dependencies

Related: CodeCov Discloses Ominous Software Supply Chain Hack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.