Sunday, December 5, 2021
HomeTechnologyNPM package with 3 million weekly downloads had a severe vulnerability

NPM package with 3 million weekly downloads had a severe vulnerability

Getty Images

NPM package with 3 million weekly downloads had a severe vulnerability

The popular “pac-resolver” NPM package fixed a serious remote code execution (RCE) flaw.

The pac-resolver package receives over 3 million weekly downloads, extending this vulnerability to Node.js applications that rely on the open source dependency. Pac-resolver is presented as a module which accepts JavaScript proxy configuration files and generates a function allowing your application to map certain domains in order to use a proxy.

Agent or non-agent

This week, developer Tim perry revealed a high severity flaw in pac-resolver that may allow threat actors on the local network to execute arbitrary code in your Node.js process whenever it attempts to make an HTTP request.

While adding proxy support to his HTTP toolkit, Perry began to audit the pac-resolver code and encountered the security issue. Tracked as CVE-2021-23406, the vulnerability has to do with how Proxy Auto-Config (PAC) files are handled by the module. PAC files consist of JavaScript code specifying a proxy configuration, which network requests should go through a proxy, and which should go out directly. For example, in a PAC file, network administrators can explicitly specify a network proxy through which all traffic should be routed and view the domains exempted from the requirement:

function FindProxyForURL(url, host) 
// Send all *.example requests directly with no proxy:
if (dnsDomainIs(host, '')) 
return 'DIRECT';

// Send every other request via this proxy:
return 'PROXY';

In the example above, network requests to “” will bypass the proxy, while the rest of the traffic must go through a proxy server.

Originally introduced as part of Netscape Navigator 2.0 in 1996, the PAC standard remains relevant and widely used today. For example, Web Proxy Auto-Discovery Protocol (WAPD) uses DNS and / or DHCP services to locate PAC files on a network and import the proxy configuration into an application. However, as proxy configurations grow larger, the JavaScript code in a PAC file can become more complex and is ideally designed to run in a virtualized (VM) environment.

Few lines of JavaScript can bypass the VM, lead to RCE

And this is where the problem begins.

For example, an associated NPM package called Pac-Proxy-Agent, which is created by the same author and has over 2 million weekly downloads, provides PAC file support to Node.js applications. Pac-Proxy-Agent does this by taking the URL of a PAC file, retrieving the file, and then acting as a Node.js HTTP agent handling outgoing requests for your application. But Pac-Proxy-Agent fails to sandbox PAC files properly because it uses the vulnerable pac-resolver module, which additionally relies on “degenerator” to build the PAC function.

Degenerator is another package from the same author that allows transforming arbitrary code into a sandbox function using the “VM” module of Node.js. But the VM module was never intended to be used as a security mechanism, which is explicitly stated in the Node.js documents. Therefore, the output of degenerator, when used by a chain of packages like pac-resolver, pac-proxy-agent, and proxy-agent, poses a security risk.

Referring to a disclaimer in Node’s documentation saying, “The vm module is not a security mechanism. Do not use it to run untrusted code,” Perry said in a blog post , “This is an easy mistake to make – it’s a little text (frankly, it should be the title on this page and next to each method).” Perry further alleges that MongoDB also did “exactly the same thing in 2019 as well, with even worse consequences”. However, the CVE Perry link to involves a third-party tool named mongo-express. MongoDB confirmed to Ars that it has no affiliation with the package in question.

Perry further explained that “this creates a big problem. While VM tries to create an isolated environment in a separate context, there is a long list of easy ways to get to the original context and completely get out of the bin. sand … allowing the code inside the ‘sandbox’ to do whatever it wants on your system. ”

With that, Perry shared proof of concept exploit code demonstrating how an attacker can exit the VM:

npm rce proxy exploit NPM package with 3 million weekly downloads had a severe vulnerability

“That’s it, that’s all that’s needed to get out of the VM module sandbox. If you can get a vulnerable target to use this PAC file as a proxy configuration, then you can run code. arbitrary on his machine, ”he explained.

The vulnerability seriously affects those who use versions of pac-resolver prior to 5.0.0, even transitively in their Node.js application, and:

  • Explicitly use PAC files for proxy configuration or
  • Read and use the operating system proxy configuration in Node.js on systems with WPAD enabled or
  • Use proxy configuration (env vars, config files, remote config endpoints, command line arguments) from untrusted source

A remote attacker can, in any of these scenarios, configure a malicious PAC URL and execute arbitrary code on a computer every time an HTTP request is made using the proxy configuration.

The fix for pac-resolver in version 5.0.0 is simply to upgrade the degenerator version to 3.0.1. The main fix went into the degenerator itself and implements a more powerful sandboxing mechanism through the vm2 module to “prevent privilege escalation of untrusted code”.

Perry thanked Snyk for supporting the developer throughout the coordinated vulnerability disclosure process.

Affected developers should upgrade to pac-resolver version 5.0.0 or higher to address this severe vulnerability in their applications.




Please enter your comment!
Please enter your name here

Most Popular

Recent Comments