Security News > 2021 > September > Critical Bug Reported in NPM Package With Millions of Downloads Weekly
A widely used NPM package called 'Pac-Resolver' for the JavaScript programming language has been remediated with a fix for a high-severity remote code execution vulnerability that could be abused to run malicious code inside Node.js applications whenever HTTP requests are sent.
A Proxy Auto-Configuration file is a JavaScript function that determines whether web browser requests should be routed directly to the destination or forwarded to a web proxy server for a given hostname.
PAC files are how proxy rules are distributed in enterprise environments.
"This package is used for PAC file support in Pac-Proxy-Agent, which is used in turn in Proxy-Agent, which then used all over the place as the standard go-to package for HTTP proxy auto-detection and configuration in Node.js," Tim Perry said in a write-up published late last month.
CVE-2021-23406 has to do with how Pac-Proxy-Agent doesn't sandbox PAC files correctly, resulting in a scenario where an untrusted PAC file can be abused to break out of the sandbox entirely and run arbitrary code on the underlying operating system.
Red Hat, in an independent advisory, said the vulnerable package is shipped with its Advanced Cluster Management for Kubernetes product, but noted it's "Currently not aware of the vector to trigger the vulnerability in the affected component, furthermore the affected component is protected by user authentication lowering the potential impact of this vulnerability."
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-08-24 | CVE-2021-23406 | Unspecified vulnerability in Pac-Resolver Project Pac-Resolver This affects the package pac-resolver before 5.0.0. | 7.5 |