Connect with us

Hi, what are you looking for?


Application Security

Critical Flaw in Pac-Resolver NPM Package Affects 290,000 Repositories

A high severity vulnerability recently addressed in popular NPC package Pac-Resolver could be exploited to execute arbitrary code remotely.

A high severity vulnerability recently addressed in popular NPC package Pac-Resolver could be exploited to execute arbitrary code remotely.

The vulnerability (CVE-2021-23406, CVSS score of 8.1) was discovered and reported by Tim Perry on May 30. The issue was addressed with the release of Pac-Resolver 5.0.0 in late July, but information on it wasn’t made public until last week.

In a blog post, Perry explains that the security hole can be exploited by an attacker on the local network to execute arbitrary code remotely inside the Node.js process when the user attempts to send an HTTP request.

A PAC file is essentially a piece of JavaScript code that informs an HTTP client which proxy to use for a given hostname and can be used for the distribution of complex proxy rules, given that a single file could map multiple links to different proxies.

Perry discovered the issue in Pac-Proxy-Agent, which relies on two packages – Pac-Resolver and Degenerator – to build the PAC function, without offering a security mechanism for the execution of supplied code.

Pac-Resolver was designed to generate an asynchronous resolver function from a PAC (Proxy Auto-Config) file. The package has roughly 3 million weekly downloads, with nearly 290,000 GitHub repositories depending on it.

“If you accept and use an untrusted PAC file, this is very bad. Every time you make a request using the PAC file, it can run arbitrary code and do anything on your system,” the researcher says.  

Advertisement. Scroll to continue reading.

For successful exploitation, however, an attacker needs to be on the local network and also needs a second flaw, such as a vulnerable configuration, to set configuration values.

“Anybody using a Node.js CLI tool designed to support enterprise proxies in a coffee shop, hotel or airport is potentially vulnerable, for example,” the researcher explains.

The attacker would need to provide a malicious PAC file that could break out of the VM module sandbox and then convince the potential victim to use the PAC file as their proxy configuration, which would allow the attacker to run arbitrary code on their machine.

To patch the issue, the VM2 npm module was implemented. Not only was it designed to run untrusted code, but is also hardened to block sandbox escapes.

“If you depend on Pac-Resolver, and there’s any way you might be using PAC files in your proxy configuration: update to Pac-Resolver v5+ now,” the researcher recommends.

Related: Cisco, Sonatype and Others Join Open Source Security Foundation

Related: New Google Tool Helps Developers Visualize Open Source Dependencies

Related: CodeCov Discloses Ominous Software Supply Chain Hack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...