Bug 1998236 (CVE-2021-23406) - CVE-2021-23406 nodejs-pac-resolver: remote code execution when used with untrusted input due to unsafe PAC file handling
Summary: CVE-2021-23406 nodejs-pac-resolver: remote code execution when used with untr...
Keywords:
Status: NEW
Alias: CVE-2021-23406
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 1999096 1999098 1999099 1999100
Blocks: 1998237
TreeView+ depends on / blocked
 
Reported: 2021-08-26 16:37 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-07-07 08:33 UTC (History)
4 users (show)

Fixed In Version: pac-resolver 5.0.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in nodejs-pac-resolver. A remote code execution can occur with untrusted input, due to unsafe PAC file handling. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-08-26 16:37:10 UTC 
This affects the package pac-resolver before 5.0.0. This can occur when used with untrusted input, due to unsafe PAC file handling. **NOTE:** The fix for this vulnerability is applied in the node-degenerator library, a dependency written by the same maintainer.

References:
https://snyk.io/vuln/SNYK-JS-PACRESOLVER-1564857

Upstream patches:
https://github.com/TooTallNate/node-degenerator/commit/9d25bb67d957bc2e5425fea7bf7a58b3fc64ff9e
https://github.com/TooTallNate/node-degenerator/commit/ccc3445354135398b6eb1a04c7d27c13b833f2d5
Note You need to log in before you can comment on or make changes to this bug.