The flaw in the pac-resolver dependency was found by developer Tim Perry who notes it could have allowed an attacker on a local network to remotely run malicious code inside a Node.js process whenever an operator tried to send an HTTP request. Note.js is the popular JavaScript runtime for running JavaScript web applications.  “This package is used for PAC file support in Pac-Proxy-Agent, which is used in turn in Proxy-Agent, which then used all over the place as the standard go-to package for HTTP proxy autodetection & configuration in Node.js,” explains Perry.  SEE: Developers, DevOps, or cybersecurity? Which is the top tech talent employers are looking for now? PAC or “Proxy-Auto Config” refers to PAC files written in JavaScript to distribute complex proxy rules that instruct an HTTP client which proxy to use for a given hostname, notes Perry, adding these are widely used in enterprise systems. They’re distributed from local network servers and from remote servers, often insecurely over HTTP rather than HTTPs.   The package gets three million downloads per week and has 285,000 public dependent repos on GitHub, Perry notes in a blogpost.  The vulnerability was fixed in v5.0.0 of all those packages recently and was marked as CVE-2021-23406 after it was disclosed last week. It will mean a lot of developers with Node.js applications are potentially affected and will need to update to version 5.0.  It affects anyone who depends on Pac-Resolver prior to version 5.0 in a Node.js application. It affects these applications if developers have done any of three configurations: 

Explicitly use PAC files for proxy configurationRead and use the operating system proxy configuration in Node.js, on systems with WPAD enabledUse proxy configuration (env vars, config files, remote config endpoints, command-line arguments) from any other source that you wouldn’t 100% trust to freely run code on your computer

“In any of those cases, an attacker (by configuring a malicious PAC URL, intercepting PAC file requests with a malicious file, or using WPAD) can remotely run arbitrary code on your computer any time you send an HTTP request using this proxy configuration,” notes Perry.