Skip to content

Pac-Resolver library exposes apps to hijacking; downloaded 3M times a week

  • by
  • 2 min read

Popular NPM library Pac-Resolver has received a patch to fix a remote-code execution library that exposes apps hijacking via evil proxy config. The library gets downloaded over three million times a week, which means a significant number of apps are at risk.

The bug causes any app using the unpatched code to execute malicious if the attacker gives it a specific proxy configuration information that can come from multiple resources. 

Developers are encouraged to update their app dependencies to get rid of the bug and push updates to their users to make sure they’re safe.

In the News: Twitter Super Follows subscription tier list revealed


What’s the bug all about?

The developer of HTTP Toolkit, Tim Perry, discovered the bug disclosed a week ago and classified it as  CVE-2021-23406 when adding proxy support to his project. The library supports Proxy Aut0-Config, otherwise known as PAC files that tell HTTP clients which proxies to use for different hostnames.

“An attacker (by configuring a malicious PAC URL, intercepting PAC file requests with a malicious file, or using WPAD) can remotely run arbitrary code on your computer any time you send an HTTP request using this proxy configuration,” explains Tim in an advisory put out Tuesday

The PAC system was designed for Netscape Navigator 2.0 in 1996 but is still in widespread use today. Pac-Resolver v5 fixes the vulnerability. Therefore, if you’re using any version of the library older than v5, you should immediately update your dependencies. 

The vulnerability seriously affects developers who depend on the Pac-Resolver library versions older than v5 in a Node.js application and do one of the following:

  • Explicity use PAC files for proxy configuration.
  • Read and use OS proxy configurations in Node.js on WPAD enabled systems.
  • Use proxy configurations from shady resources. 

In the News: Samsung announces two new phone camera sensors; Goes over 200MPs

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>