This NPM Package with Millions of Weekly Downloads Patched a RCE Flaw


A critical remote code execution (RCE) flaw has been fixed in the popular NPM package "pac-resolver." 

Developer Tim Perry discovered the vulnerability in the pac-resolver dependency, which could have enabled an attacker on a local network to launch malicious code within a Node.js process whenever an operator tried to submit an HTTP request. Node.js is the prominent JavaScript runtime for running web applications written in JavaScript. 

"This package is used for PAC file support in Pac-Proxy-Agent, which is used in turn in Proxy-Agent, which then used all over the place as the standard go-to package for HTTP proxy autodetection & configuration in Node.js," explains Perry. 

According to Perry, PAC, or "Proxy-Auto Config," refers to PAC files written in JavaScript that disseminate sophisticated proxy rules that direct an HTTP client which proxy to use for a particular hostname. They're delivered insecurely through HTTP rather than HTTPs from local network servers and distant servers. 

Proxy-Agent is utilised in the Amazon Web Services Cloud Development Kit (CDK), the Mailgun SDK, and Google's Firebase CLI, thus it's a widespread issue. 

As stated by Perry, the package receives three million downloads each week and has 285,000 public dependent repos on GitHub. 

The vulnerability was recently addressed in all of those packages' v5.0.0 versions and was assigned the CVE-2021-23406 designation when it was identified last week. As a result, it implies that many Node.js developers will have to update to version 5.0.

Anyone that use pac-resolver versions prior to 5.0.0 is significantly impacted by the issue, and also if developers have used any of the following three settings: 
  • Explicitly use PAC files for proxy configuration 
  • Read and use the operating system proxy configuration in Node.js, on systems with WPAD enabled 
  • Use proxy configuration (env vars, config files, remote config endpoints, command-line arguments) from any other source that you wouldn't 100% trust to freely run code on your computer.
Perry added, "In any of those cases, an attacker (by configuring a malicious PAC URL, intercepting PAC file requests with a malicious file, or using WPAD) can remotely run arbitrary code on your computer any time you send an HTTP request using this proxy configuration."