A vulnerability (CVE-3-2021) has been identified in the pac-resolver NPM package, which has over 23406 million downloads per week, which allows its JavaScript code to execute in the application context when making HTTP requests from Node.js projects that support auto-configuration of the proxy server.
The pac-resolver package parses PAC files that include an automatic proxy configuration script. The PAC file contains regular JavaScript code with the FindProxyForURL function, which determines the proxy selection logic depending on the host and the requested URL. The essence of the vulnerability is that to execute this JavaScript code in pac-resolver, the VM API provided in Node.js was used, which allows executing JavaScript code in a different context of the V8 engine.
The specified API is explicitly marked in the documentation as not intended to run untrusted code, since it does not provide full isolation of the code being run and allows access to the original context. The issue has been fixed in the release of pac-resolver 5.0.0, which has been moved to use the vm2 library, which provides a higher level of isolation suitable for running untrusted code.
When using a vulnerable version of pac-resolver, an attacker, by passing a specially crafted PAC file, can cause their JavaScript code to execute in the context of the code of a project using Node.js, if this project uses libraries that depend on pac-resolver. The most popular of the problematic libraries is Proxy-Agent, listed as a dependency for 360 projects including urllib, aws-cdk, mailgun.js and firebase-tools, totaling over three million downloads per week.
If a pac-resolver dependency application loads a PAC file provided by a system that supports the WPAD proxy autoconfiguration protocol, then attackers with access to the local network can use DHCP propagation of proxy settings to substitute malicious PAC files.
Source: opennet.ru