JavaScript NPM library with 3 million weekly downloads exposed apps to hijacking

JavaScript NPM library with 3 million weekly downloads exposed apps to hijacking

Image:
JavaScript NPM library with 3 million weekly downloads exposed apps to hijacking

Pac-Resolver library versions older than 5.0.0 are vulnerable

Pac-Resolver, a widely used NPM library, has received a patch to address a high-severity remote code execution (RCE) bug that could allow malicious actors to hijack a Node.js process via a corrupted proxy configuration.

The library receives over three million downloads a week, which means a significant number of apps relying on the open source dependency are at risk.

The high-severity bug was discovered by developer Tim Perry while adding proxy support to his HTTP Toolkit project.

Perry disclosed the details of the bug in an advisory this week.

Pac-Resolver touts itself as a module that 'accepts a JavaScript String of code, which is meant to be a PAC proxy file, and returns a generated asynchronous FindProxyForURL() function'.

The function enables an app to map certain domains to use a proxy.

"PAC stands for ‘Proxy Auto-Config'. A PAC file is a script written in JavaScript that tells an HTTP client which proxy to use for a given hostname, using dynamic logic to do so," Perry explained.

According to Perry, the vulnerability, indexed as CVE-2021-23406, could enable malicious actors on the local network to run arbitrary code within a Node.js process whenever it attempts to make an HTTP request.

Essentially, any app using the faulty code to handle internet proxies can end up running malicious code if an attacker gives it specific booby-trapped proxy configuration information.

"An attacker (by configuring a malicious PAC URL, intercepting PAC file requests with a malicious file, or using WPAD) can remotely run arbitrary code on your computer any time you send an HTTP request using this proxy configuration," Perry said.

Pac-Resolver library versions older than 5.0.0 are vulnerable to the RCE bug, according to Perry.

The fix for the bug has been applied in the node-degenerator library, a dependency written by the same maintainer.

Developers who have included Pac-Resolver package into their apps are encouraged to update their dependencies to get rid of the vulnerability and to push necessary updates to users to secure them from malicious actors.

The incident highlights the significance of reviewing code dependencies in apps, Perry said.

"In many cases, especially for large applications with complex dependencies, that's not possible for all dependencies, but at least reviewing your most sensitive dependencies (like automatic proxy configuration) will help you catch these unintentional bugs and help get them fixed for everybody," he added.