Experts found a critical flaw, tracked as CVE-2021-23406, in the popular NPM package ‘Pac-Resolver‘ that has millions of downloads every week.
The vulnerability can be exploited by remote attackers to run malicious code inside Node.js applications.
The flaw affects Pac-Resolver versions before 5.0.0, it received a CVSS score of 8.1.
The expert explained that PAC files can be exploited to escape the sandbox and run malicious code on the underlying operating system.
“A flaw was found in nodejs-pac-resolver. A remote code execution can occur with untrusted input, due to unsafe PAC file handling. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.” reads an advisory published by Red Hat.
The flaw was addressed in Pac-Resolver v5.0.0, Pac-Proxy-Agent v5.0.0, and Proxy-Agent v5.0.0. The development team addressed it using a real sandbox instead of the VM built-in module.
(SecurityAffairs – hacking, Pac-Resolver)
The post Popular NPM package Pac-Resolver affected by a critical flaw appeared first on Security Affairs.
Go to Source of this post
Author Of this post: Pierluigi Paganini