Critical Bug in NPM Package With Millions of Downloads Weekly

A widely used NPM package called ‘Pac-Resolver‘ for the JavaScript programming language has been remediated with a fix for a high-severity remote code execution vulnerability that could be abused to run malicious code inside Node.js applications whenever HTTP requests are sent.

The flaw, tracked as CVE-2021-23406, has a severity rating of 8.1 on the CVSS vulnerability scoring system and affects Pac-Resolver versions before 5.0.0.

A Proxy Auto-Configuration (PAC) file is a JavaScript function that determines whether web browser requests should be routed directly to the destination or forwarded to a web proxy server for a given hostname. PAC files are how proxy rules are distributed in enterprise environments.

“This package is used for PAC file support in Pac-Proxy-Agent, which is used in turn in Proxy-Agent, which then used all over the place as the standard go-to package for HTTP proxy auto-detection and configuration in Node.js,” Tim Perry said in a write-up published late last month. “It’s very popular: Proxy-Agent is used everywhere from AWS’s CDK toolkit to the Mailgun SDK to the Firebase CLI.”

CVE-2021-23406 has to do with how Pac-Proxy-Agent doesn’t sandbox PAC files correctly, resulting in a scenario where an untrusted PAC file can be abused to break out of the sandbox entirely and run arbitrary code on the underlying operating system. This, however, necessitates that the attacker either resides on the local network, has the capability to tamper with the contents of the PAC file, or chains it with a second vulnerability to alter the proxy configuration.

“This is a well-known attack against the VM module, and it works because Node doesn’t isolate the context of the ‘sandbox’ fully, because it’s not really trying to provide serious isolation,” Perry said. “The fix is simple: use a real sandbox instead of the VM built-in module.”

Red Hat, in an independent advisory, said the vulnerable package is shipped with its Advanced Cluster Management for Kubernetes product, but noted it’s “currently not aware of the vector to trigger the vulnerability in the affected component, furthermore the affected component is protected by user authentication lowering the potential impact of this vulnerability.”

You might also like

Leave A Reply

Your email address will not be published.