Important Bug Reported in NPM Bundle With Thousands and thousands of Downloads Weekly

NPM Package

A broadly used NPM bundle referred to as ‘Pac-Resolver‘ for the JavaScript programming language has been remediated with a repair for a high-severity distant code execution vulnerability that could possibly be abused to run malicious code inside Node.js functions every time HTTP requests are despatched.

The flaw, tracked as CVE-2021-23406, has a severity score of 8.1 on the CVSS vulnerability scoring system and impacts Pac-Resolver variations earlier than 5.0.0.

A Proxy Auto-Configuration (PAC) file is a JavaScript perform that determines whether or not net browser requests must be routed on to the vacation spot or forwarded to an online proxy server for a given hostname. PAC information are how proxy guidelines are distributed in enterprise environments.

“This bundle is used for PAC file help in Pac-Proxy-Agent, which is utilized in flip in Proxy-Agent, which then used in all places as the usual go-to bundle for HTTP proxy auto-detection and configuration in Node.js,” Tim Perry said in a write-up revealed late final month. “It is extremely popular: Proxy-Agent is used in all places from AWS’s CDK toolkit to the Mailgun SDK to the Firebase CLI.”

CVE-2021-23406 has to do with how Pac-Proxy-Agent would not sandbox PAC information accurately, leading to a state of affairs the place an untrusted PAC file might be abused to interrupt out of the sandbox solely and run arbitrary code on the underlying working system. This, nonetheless, necessitates that the attacker both resides on the native community, has the potential to tamper with the contents of the PAC file, or chains it with a second vulnerability to change the proxy configuration.

“It is a well-known assault towards the VM module, and it really works as a result of Node would not isolate the context of the ‘sandbox’ absolutely, as a result of it is not likely attempting to offer severe isolation,” Perry stated. “The repair is easy: use an actual sandbox as a substitute of the VM built-in module.”

Pink Hat, in an unbiased advisory, said the susceptible bundle is shipped with its Superior Cluster Administration for Kubernetes product, however famous it is “at present not conscious of the vector to set off the vulnerability within the affected part, moreover the affected part is protected by consumer authentication reducing the potential influence of this vulnerability.”

Source link