NPM package with 3 million weekly downloads had a severe vulnerability

Getty Pictures

Fashionable NPM bundle “pac-resolver” has fastened a extreme distant code execution (RCE) flaw.

The pac-resolver bundle receives over 3 million weekly downloads, extending this vulnerability to Node.js purposes counting on the open supply dependency. Pac-resolver touts itself as a module that accepts JavaScript proxy configuration information and generates a operate on your app to map sure domains to make use of a proxy.

To proxy or to not proxy

This week, developer Tim Perry disclosed a high-severity flaw in pac-resolver that may allow risk actors on the native community to run arbitrary code inside your Node.js course of at any time when it makes an attempt to make an HTTP request.

Whereas including proxy help to his HTTP Toolkit, Perry started auditing the pac-resolver code and got here throughout the safety subject. Tracked as CVE-2021-23406, the vulnerability has to do with how Proxy Auto-Config (PAC) information are processed by the module. PAC information encompass JavaScript code specifying a proxy configuration—which community requests ought to go over a proxy and which ought to exit instantly. For instance, in a PAC file, community directors can explicitly specify a community proxy by way of which all site visitors must be routed and present domains which are exempted from the requirement:

operate FindProxyForURL(url, host) {
// Ship all *.instance requests instantly with no proxy:
if (dnsDomainIs(host, '')) {
return 'DIRECT';

// Ship each different request by way of this proxy:
return 'PROXY';

Within the instance above, community requests to “” will bypass the proxy, whereas the remainder of the site visitors is instructed to undergo a proxy server.

Initially launched as a part of Netscape Navigator 2.0 in 1996, the PAC customary stays related and in widespread use at this time. For instance, Net Proxy Auto-Discovery Protocol (WAPD) makes use of DNS and/or DHCP providers to find PAC information on a community and import the proxy configuration into an utility. Nonetheless, as proxy configurations turn out to be bigger, the JavaScript code in a PAC file can get more and more complicated and is ideally designed to run in a virtualized atmosphere (VM).

Few traces of JavaScript can bypass VM, result in RCE

And that is the place the issue begins.

For instance, a associated NPM bundle referred to as Pac-Proxy-Agent, which is made by the identical creator and has over 2 million weekly downloads, offers PAC file help to Node.js purposes. Pac-Proxy-Agent does so by taking within the URL to a PAC file, retrieving the file, after which appearing as a Node.js HTTP agent dealing with outgoing requests on your utility. However Pac-Proxy-Agent fails to sandbox PAC information appropriately as a result of it makes use of the weak pac-resolver module, which additional depends on “degenerator” to construct the PAC operate.

Degenerator is yet one more bundle by the identical creator that helps rework arbitrary code right into a sandboxed operate utilizing Node.js’ “VM” module. However the VM module was by no means designed for use as a safety mechanism, one thing that’s explicitly spelled out in Node.js docs. Due to this fact, the output from degenerator—when utilized by a sequence of packages like pac-resolver, Pac-Proxy-Agent, and proxy-agent—poses a safety threat.

Referring to a disclaimer in Node docs saying, “vm module just isn’t a safety mechanism. Don’t use it to run untrusted code,” Perry mentioned in a weblog put up, “That is a straightforward mistake to make—it is small textual content (frankly, it must be the headline on that web page and subsequent to each technique).” Perry additional alleges that MongoDB additionally did “the very same factor too in 2019, with even worse penalties.” Nonetheless, the CVE Perry hyperlinks to includes a third-party software named mongo-express. MongoDB confirmed to Ars that they don’t have any affiliation with the bundle in query.

Perry defined additional that “this creates a giant drawback. Whereas VM does attempt to create an remoted atmosphere in a separate context, there is a lengthy checklist of simple methods to entry the unique context and escape of the sandbox totally… permitting code contained in the ‘sandbox’ to principally do something it likes in your system.”

With that, Perry shared a proof-of-concept exploit code demonstrating how an attacker can escape of the VM:

“That is it—that is all that is required to interrupt out of the VM module sandbox. If you can also make a weak goal use this PAC file as their proxy configuration, then you may run arbitrary code on their machine,” he defined.

The vulnerability critically impacts those that use pac-resolver variations prior to five.0.0, even transitively of their Node.js utility, and:

  • Explicitly use PAC information for proxy configuration or
  • Learn and use the working system proxy configuration in Node.js on programs with WPAD enabled or
  • Use proxy configuration (env vars, config information, distant config endpoints, command-line arguments) from an untrusted supply

A distant attacker can, in any of those eventualities, configure a malicious PAC URL and run arbitrary code on a pc any time an HTTP request is made utilizing the proxy configuration.

The repair for pac-resolver in model 5.0.0 consists of merely bumping up the degenerator model to three.0.1. The core repair went into degenerator itself and implements a stronger sandboxing mechanism by way of the vm2 module to “stop privilege escalation of untrusted code.”

Perry thanked Snyk for supporting the developer all through the coordinated vulnerability disclosure course of.

Affected builders ought to improve to pac-resolver model 5.0.0 or above to repair this extreme vulnerability of their purposes.

Source link