Popular NPM library Pac-Resolver has received a patch to fix a remote-code execution library that exposes apps hijacking via evil proxy config. The library gets downloaded over three million times a week, which means a significant number of apps are at risk.
The bug causes any app using the unpatched code to execute malicious if the attacker gives it a specific proxy configuration information that can come from multiple resources.
Developers are encouraged to update their app dependencies to get rid of the bug and push updates to their users to make sure they’re safe.
What’s the bug all about?
The developer of HTTP Toolkit, Tim Perry, discovered the bug disclosed a week ago and classified it as CVE-2021-23406 when adding proxy support to his project. The library supports Proxy Aut0-Config, otherwise known as PAC files that tell HTTP clients which proxies to use for different hostnames.
“An attacker (by configuring a malicious PAC URL, intercepting PAC file requests with a malicious file, or using WPAD) can remotely run arbitrary code on your computer any time you send an HTTP request using this proxy configuration,” explains Tim in an advisory put out Tuesday.
The PAC system was designed for Netscape Navigator 2.0 in 1996 but is still in widespread use today. Pac-Resolver v5 fixes the vulnerability. Therefore, if you’re using any version of the library older than v5, you should immediately update your dependencies.
The vulnerability seriously affects developers who depend on the Pac-Resolver library versions older than v5 in a Node.js application and do one of the following:
- Explicity use PAC files for proxy configuration.
- Read and use OS proxy configurations in Node.js on WPAD enabled systems.
- Use proxy configurations from shady resources.