NPM package with 3 million weekly downloads had a severe vulnerability

by
Ax Sharma
from Ars Technica - All content on (#5P2ZN)
software-code-800x534.jpg

Enlarge (credit: Getty Images)

Popular NPM package "pac-resolver" has fixed a severe remote code execution (RCE) flaw.

The pac-resolver package receives over 3 million weekly downloads, extending this vulnerability to Node.js applications relying on the open source dependency. Pac-resolver touts itself as a module that accepts JavaScript proxy configuration files and generates a function for your app to map certain domains to use a proxy.

To proxy or not to proxy

This week, developer Tim Perry disclosed a high-severity flaw in pac-resolver that can enable threat actors on the local network to run arbitrary code within your Node.js process whenever it attempts to make an HTTP request.

Read 15 remaining paragraphs | Comments

index?i=v9WkqCKJbmk:fIY6gyGWc6g:V_sGLiPB index?i=v9WkqCKJbmk:fIY6gyGWc6g:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments