CVE-2021-23406
Unsafe PAC File Handling vulnerability in pac-resolver
What is CVE-2021-23406 About?
The `pac-resolver` package before version 5.0.0 is vulnerable due to unsafe PAC file handling when used with untrusted input. This flaw can lead to various security issues, including information disclosure or execution of attacker-controlled logic. Exploitation requires an attacker to provide a malicious PAC file or content.
Affected Software
- pac-resolver
- <5.0.0
- degenerator
- <3.0.1
Technical Details
The vulnerability in the `pac-resolver` package (versions prior to 5.0.0) stems from unsafe handling of Proxy Auto-Configuration (PAC) files, particularly when processing untrusted input. PAC files are JavaScript files that define how web browser clients automatically choose a proxy server. If a malicious PAC file or untrusted content that acts as a PAC file is provided to `pac-resolver`, the library might not adequately sanitize or restrict the execution environment of the JavaScript within the PAC file. This can lead to various security concerns, such as the execution of arbitrary JavaScript code by the attacker, allowing them to redirect network traffic, intercept information, or perform other malicious actions that leverage the privileges of the application processing the PAC file. The
What is the Impact of CVE-2021-23406?
Successful exploitation may allow attackers to redirect network traffic, intercept sensitive information, or execute arbitrary code in the context of the application parsing the PAC file, leading to information disclosure or system compromise.
What is the Exploitability of CVE-2021-23406?
Exploitation of this vulnerability requires an attacker to be able to provide untrusted input that is then processed by the `pac-resolver` package as a PAC file. The complexity is moderate, as it involves crafting a malicious JavaScript PAC file. No specific authentication or privilege requirements are mentioned, suggesting it could be exploited remotely if the application accepts external PAC file URLs or content from untrusted sources. The impact is significant because PAC files inherently control network requests. The fix being applied in `node-degenerator` suggests that the vulnerability lies in how arbitrary code within PAC files is evaluated. Systems processing user-supplied PAC URLs are at higher risk.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-23406?
Available Upgrade Options
- pac-resolver
- <5.0.0 → Upgrade to 5.0.0
- degenerator
- <3.0.1 → Upgrade to 3.0.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-9j49-mfvp-vmhm
- https://snyk.io/vuln/SNYK-JS-PACRESOLVER-1564857
- https://nvd.nist.gov/vuln/detail/CVE-2021-23406
- https://github.com/TooTallNate/node-degenerator/commit/ccc3445354135398b6eb1a04c7d27c13b833f2d5
- https://github.com/TooTallNate/node-degenerator/commit/9d25bb67d957bc2e5425fea7bf7a58b3fc64ff9e
- https://github.com/TooTallNate/node-degenerator/commit/9d25bb67d957bc2e5425fea7bf7a58b3fc64ff9e
- https://github.com/TooTallNate
- https://github.com/TooTallNate/node-pac-resolver/releases/tag/5.0.0
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1568506
- https://snyk.io/vuln/SNYK-JS-PACRESOLVER-1564857
What are Similar Vulnerabilities to CVE-2021-23406?
Similar Vulnerabilities: CVE-2020-15160 , CVE-2019-14811 , CVE-2018-1000006 , CVE-2017-5373 , CVE-2016-10543
