Tim Perry

**Name of the Vulnerable Software and Affected Versions** pac-resolver versions prior to 5.0.0 **Description** This issue occurs due to unsafe PAC file handling when used with untrusted input, allowing for potential remote code execution. The pac-resolver package has over 3 million weekly downloads, and the vulnerability can be exploited in Node.js applications that support auto-proxy configuration. **Recommendations** For versions prior to 5.0.0, the fix for this issue is applied in the node-degenerator library, a dependency written by the same maintainer. As a temporary workaround, consider disabling the use of untrusted input with the pac-resolver package until the issue is resolved. Restrict access to the pac-resolver package to minimize the risk of exploitation.