Cybersecurity scientists have found a high-severity distant code execution (RCE) vulnerability within a greatly employed NPM offer named Pac-Resolver.
In accordance to researcher Tim Perry who located the flaw, PAC stands for Proxy Automobile-Config, which are scripts written in JavaScript that assist HTTP shoppers decide on the proper proxy for a supplied hostname, employing dynamic logic.
“This package deal is applied for PAC file guidance in Pac-Proxy-Agent, which is used in change in Proxy-Agent, which then utilized all above the position as the conventional go-to bundle for HTTP proxy autodetection & configuration in Node.js. It really is incredibly common,” writes Perry.
He provides that Proxy-Agent clocks about a few million downloads for each week, and exists in 285,000 community dependent repos on GitHub.
Influences countless applications
In his publish, Perry points out that the vulnerability, tracked as CVE-2021-23406, could help lousy actors to remotely operate arbitrary code on your laptop every time you ship an HTTP ask for.
More outlining the circumstances that make Node.js applications vulnerable to exploitation, Perry claims the vulnerability influences all Pac-Resolver users who explicitly use PAC data files for proxy configuration, or read and use the working method proxy configuration on methods that use the WPAD protocol, or use proxy configuration from an untrusted supply.
In a way, Perry thinks the vulnerability influences anybody who works by using the Pac-Resolver bundle in their applications.
“If you happen to be in this problem, you want to update (to Pac-Resolver v5 and/or Proxy-Agent v5) suitable now,” suggests Perry.