Update this NPM package now, millions of devs told
The library has put out a new major release to patch the vulnerability
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Cybersecurityresearchers have found a high-severity remote code execution (RCE) vulnerability inside a widely used NPM package named Pac-Resolver.
According toresearcher Tim Perry who found the flaw, PAC stands for Proxy Auto-Config, which are scripts written inJavaScriptthat help HTTP clients select the right proxy for a given hostname, using dynamic logic.
“This package is used for PAC file support inPac-Proxy-Agent, which is used in turn inProxy-Agent, which then used all over the place as the standard go-to package for HTTP proxy autodetection & configuration in Node.js. It’sverypopular,” writes Perry.
He adds that Proxy-Agent clocks about three million downloads per week, and exists in 285,000 public dependent repos on GitHub.
Affects countless apps
In his post, Perry explains that the vulnerability, tracked as CVE-2021-23406, could enable bad actors to remotely run arbitrary code on your computer whenever you send an HTTP request.
Further explaining the conditions that make Node.js apps prone to exploitation, Perry says the vulnerability affects all Pac-Resolver users who explicitly use PAC files for proxy configuration, or read and use theoperating systemproxy configuration on systems that use the WPAD protocol, or use proxy configuration from an untrusted source.
In a way, Perry believes the vulnerability affects anyone who uses the Pac-Resolver package in their apps.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
“If you’re in this situation, you need to update (to Pac-Resolver v5 and/or Proxy-Agent v5) right now,” suggests Perry.
With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.
Don’t search for information on cats at work — you could be at risk of being hacked
Key Strategies for financial institutions to combat fraud
3 questions to ask before buying a robot vacuum in the Black Friday sales
