“This package is used for PAC file support in Pac-Proxy-Agent, which is used in turn in Proxy-Agent, which then used all over the place as the standard go-to package for HTTP proxy autodetection & configuration in Node.js,” explains Perry.
It’s a widespread issue as Proxy-Agent is used in Amazon Web Services Cloud Development Kit (CDK), the Mailgun SDK and Google’s Firebase CLI.
The package gets three million downloads per week and has 285,000 public dependent repos on GitHub, Perry notes in a blogpost.
The vulnerability was fixed in v5.0.0 of all those packages recently and was marked as CVE-2021-23406 after it was disclosed last week.
It will mean a lot of developers with Node.js applications are potentially affected and will need to update to version 5.0.
It affects anyone who depends on Pac-Resolver prior to version 5.0 in a Node.js application. It affects these applications if developers have done any of three configurations:
- Explicitly use PAC files for proxy configuration
- Read and use the operating system proxy configuration in Node.js, on systems with WPAD enabled
- Use proxy configuration (env vars, config files, remote config endpoints, command-line arguments) from any other source that you wouldn’t 100% trust to freely run code on your computer
“In any of those cases, an attacker (by configuring a malicious PAC URL, intercepting PAC file requests with a malicious file, or using WPAD) can remotely run arbitrary code on your computer any time you send an HTTP request using this proxy configuration,” notes Perry.