Critical Flaw in Pac-Resolver NPM Package Affects 290,000 Repositories
A high severity vulnerability recently addressed in popular NPC package Pac-Resolver could be exploited to execute arbitrary code remotely.
The vulnerability (CVE-2021-23406, CVSS score of 8.1) was discovered and reported by Tim Perry on May 30. The issue was addressed with the release of Pac-Resolver 5.0.0 in late July, but information on it wasn’t made public until last week.
In a blog post, Perry explains that the security hole can be exploited by an attacker on the local network to execute arbitrary code remotely inside the Node.js process when the user attempts to send an HTTP request.
Perry discovered the issue in Pac-Proxy-Agent, which relies on two packages – Pac-Resolver and Degenerator – to build the PAC function, without offering a security mechanism for the execution of supplied code.
Pac-Resolver was designed to generate an asynchronous resolver function from a PAC (Proxy Auto-Config) file. The package has roughly 3 million weekly downloads, with nearly 290,000 GitHub repositories depending on it.
“If you accept and use an untrusted PAC file, this is very bad. Every time you make a request using the PAC file, it can run arbitrary code and do anything on your system,” the researcher says.
For successful exploitation, however, an attacker needs to be on the local network and also needs a second flaw, such as a vulnerable configuration, to set configuration values.
“Anybody using a Node.js CLI tool designed to support enterprise proxies in a coffee shop, hotel or airport is potentially vulnerable, for example,” the researcher explains.
The attacker would need to provide a malicious PAC file that could break out of the VM module sandbox and then convince the potential victim to use the PAC file as their proxy configuration, which would allow the attacker to run arbitrary code on their machine.
To patch the issue, the VM2 npm module was implemented. Not only was it designed to run untrusted code, but is also hardened to block sandbox escapes.
“If you depend on Pac-Resolver, and there’s any way you might be using PAC files in your proxy configuration: update to Pac-Resolver v5+ now,” the researcher recommends.