Developer Tim Perry was the first to discover this pac-resolver flaw. He revealed that this vulnerability would allow attackers to run malicious arbitrary codes every time an operator tries to pass an HTTP request.
Proxy-Auto Config (PAC) is a set of rules instructing an HTTP host to use a particular proxy for a hostname. These are distributed from various locations, such as local networks and remote servers, over HTTP. However, the distributions aren’t always secure, since they do not use HTTPS.
The package has 3 million downloads a week and 285,000 public repos on GitHub. Recently, a vulnerability has been discovered and fixed in the v5.0.0 out of all packages and was labeled CVE-2021-23406. It only took the developers one week to fix this flaw.
Any developer who uses the Pac-Resolver library prior to version 5.0 is affected by this flaw. The only way to mitigate this vulnerability is by upgrading to version 5.0 as soon as possible.
It affects applications if they have any of these following configurations:
- Using PAC files for Proxy configuration explicitly
- Use proxy configuration from unreliable sources
- Using the operating system proxy configuration in Node.js with WPAD activated
“In any of those cases, an attacker (by configuring a malicious PAC URL, intercepting PAC file requests with a malicious file, or using WPAD) can remotely run arbitrary code on your computer any time you send an HTTP request using this proxy configuration,” notes Perry.