Popular NPM package "pac-resolver" was affected by a severe remote code execution vulnerability. The issue affected applications using Node.js and relying on the open source dependencies.

According to the developers, pac-resolver is a module that accepts configuration files written in JavaScript and generates application-specific functionality. User can configure certain domains to use a proxy with the help of this function.

A dangerous vulnerability in the pac-resolver package was discovered by Tim Perry, who also clarified that the revealed bug allows an attacker to run arbitrary code on the local network (within the Node.js process). The vulnerability received its own identifier – CVE-2021-23406. The vulnerability seriously impacts pac-resolver versions prior to 5.0.0.

The developers have already released the corresponding patch, which can be installed with version 5.0.0. The module now uses a stronger sandboxing mechanism.

Source: anti-malware.ru