Cybersecurity (opens in new tab) researchers have found a high-severity remote code execution (RCE) vulnerability inside a widely used NPM package named Pac-Resolver.
According to (opens in new tab) researcher Tim Perry who found the flaw, PAC stands for Proxy Auto-Config, which are scripts written in JavaScript (opens in new tab) that help HTTP clients select the right proxy for a given hostname, using dynamic logic.
“This package is used for PAC file support in Pac-Proxy-Agent (opens in new tab), which is used in turn in Proxy-Agent (opens in new tab), which then used all over the place as the standard go-to package for HTTP proxy autodetection & configuration in Node.js. It's very popular,” writes Perry.
- Here’s our roundup of the best laptops for programming (opens in new tab)
- Start your web development journey with these best HTML courses (opens in new tab)
- These are the best JavaScript courses (opens in new tab) currently available
He adds that Proxy-Agent clocks about three million downloads per week, and exists in 285,000 public dependent repos on GitHub.
Affects countless apps
In his post, Perry explains that the vulnerability, tracked as CVE-2021-23406, could enable bad actors to remotely run arbitrary code on your computer whenever you send an HTTP request.
Further explaining the conditions that make Node.js apps prone to exploitation, Perry says the vulnerability affects all Pac-Resolver users who explicitly use PAC files for proxy configuration, or read and use the operating system proxy configuration on systems that use the WPAD protocol, or use proxy configuration from an untrusted source.
In a way, Perry believes the vulnerability affects anyone who uses the Pac-Resolver package in their apps.
“If you're in this situation, you need to update (to Pac-Resolver v5 and/or Proxy-Agent v5) right now,” suggests Perry.
- Get started with programming with these best Python courses (opens in new tab)
