PT-2021-15497 · Npm · Pac-Resolver

Tim Perry

Published

2021-08-24

Updated

2021-09-13

CVE-2021-23406

CVSS v3.1

8.1

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions pac-resolver versions prior to 5.0.0

Description This issue occurs due to unsafe PAC file handling when used with untrusted input, allowing for potential remote code execution. The pac-resolver package has over 3 million weekly downloads, and the vulnerability can be exploited in Node.js applications that support auto-proxy configuration.

Recommendations For versions prior to 5.0.0, the fix for this issue is applied in the node-degenerator library, a dependency written by the same maintainer. As a temporary workaround, consider disabling the use of untrusted input with the pac-resolver package until the issue is resolved. Restrict access to the pac-resolver package to minimize the risk of exploitation.

Exploit

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2021-23406

GHSA-9J49-MFVP-VMHM

SNYK-JAVA-ORGWEBJARSNPM-1568506

SNYK-JS-PACRESOLVER-1564857

Affected Products

Pac-Resolver

PT-2021-15497 · Npm · Pac-Resolver

CVE-2021-23406

Weakness Enumeration

Related Identifiers

Affected Products

References · 16