CVE-2021-23406 Overview
CVE-2021-23406 is a remote code execution vulnerability affecting the pac-resolver Node.js package before version 5.0.0. This vulnerability occurs when the package processes untrusted input due to unsafe PAC (Proxy Auto-Config) file handling. The pac-resolver package is widely used in Node.js applications to resolve proxy configurations automatically, making this vulnerability particularly concerning for applications that process PAC files from external or untrusted sources.
The fix for this vulnerability was applied in the node-degenerator library, a dependency written by the same maintainer, which highlights how supply chain dependencies can propagate security issues through the Node.js ecosystem.
Critical Impact
Attackers can achieve remote code execution by supplying a malicious PAC file to applications using vulnerable versions of pac-resolver, potentially leading to complete system compromise.
Affected Products
- pac-resolver versions prior to 5.0.0
- Node.js applications using pac-resolver as a dependency
- Java applications using org.webjars.npm:pac-resolver
Discovery Timeline
- 2021-08-24 - CVE CVE-2021-23406 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-23406
Vulnerability Analysis
The vulnerability exists in how pac-resolver handles PAC files, which are JavaScript files used to determine proxy settings for web requests. PAC files contain a FindProxyForURL function that returns proxy configuration based on the requested URL. The unsafe handling of these files allows for arbitrary code execution when processing untrusted PAC content.
The pac-resolver package relies on the node-degenerator library to transform synchronous JavaScript code into asynchronous code. The vulnerability stems from insufficient sandboxing when evaluating PAC file code, allowing attackers to escape the intended execution context and execute arbitrary JavaScript code on the server.
Root Cause
The root cause lies in the improper sandboxing of JavaScript execution when processing PAC files. The node-degenerator library uses the vm2 library for sandboxed execution, but the implementation had gaps that allowed code to escape the sandbox. Specifically, the handling of the filename option and promise return values were not properly secured, enabling attackers to inject malicious code that would execute outside the sandboxed environment.
Attack Vector
An attacker can exploit this vulnerability by crafting a malicious PAC file and having a vulnerable application process it. This can occur in scenarios such as:
- Applications that accept PAC file URLs from user input
- Man-in-the-middle attacks where an attacker intercepts and modifies PAC file responses
- Compromised PAC file hosting servers
The attack requires network access to deliver the malicious PAC file to the target application. Once the vulnerable application parses the malicious PAC file, the attacker's code executes with the privileges of the Node.js process.
// Security patch in node-degenerator src/index.ts - Fix `filename` option
// Source: https://github.com/TooTallNate/node-degenerator/commit/9d25bb67d957bc2e5425fea7bf7a58b3fc64ff9e
import { parseScript } from 'esprima';
import { visit, namedTypes as n, builders as b } from 'ast-types';
import { Context, RunningScriptOptions } from 'vm';
-import { VM } from 'vm2';
+import { VM, VMScript } from 'vm2';
/**
* Compiles sync JavaScript code into JavaScript with async Functions.
Source: GitHub Commit - node-degenerator filename fix
// Security patch in node-degenerator src/index.ts - Fix return `undefined`
// Source: https://github.com/TooTallNate/node-degenerator/commit/ccc3445354135398b6eb1a04c7d27c13b833f2d5
const r = function (this: any, ...args: A): Promise<R> {
try {
const p = fn.apply(this, args);
- if (typeof p.then === 'function') {
+ if (typeof p?.then === 'function') {
return p;
}
return Promise.resolve(p);
Source: GitHub Commit - node-degenerator undefined return fix
Detection Methods for CVE-2021-23406
Indicators of Compromise
- Unexpected child processes spawned by Node.js applications using pac-resolver
- Unusual network connections originating from proxy resolution processes
- Anomalous file system access patterns from applications processing PAC files
- Error logs indicating malformed or suspicious PAC file content
Detection Strategies
- Audit package.json and package-lock.json files for pac-resolver versions below 5.0.0
- Use dependency scanning tools like npm audit or Snyk to identify vulnerable packages
- Monitor application logs for errors related to PAC file parsing or vm2 sandbox escapes
- Implement Software Composition Analysis (SCA) in CI/CD pipelines to detect vulnerable dependencies
Monitoring Recommendations
- Enable verbose logging for applications that process PAC files
- Monitor process execution chains for unexpected command execution
- Implement network monitoring for outbound connections from Node.js processes
- Set up alerts for dependency updates in affected packages
How to Mitigate CVE-2021-23406
Immediate Actions Required
- Update pac-resolver to version 5.0.0 or later immediately
- Update node-degenerator to the patched version containing the security fixes
- Audit all applications using pac-resolver for exposure to untrusted PAC files
- Consider restricting PAC file sources to trusted origins only
Patch Information
The vulnerability is fixed in pac-resolver version 5.0.0 and later. The actual security fixes were implemented in the node-degenerator dependency. Organizations should update their Node.js applications to use the patched versions. For detailed patch information, see the pac-resolver v5.0.0 release notes and review the security commits in the node-degenerator repository.
Workarounds
- Avoid processing PAC files from untrusted or user-controlled sources
- Implement strict input validation for any PAC file URLs accepted by applications
- Consider using allow-lists for permitted PAC file sources
- Deploy network-level controls to prevent PAC file requests to untrusted domains
# Update pac-resolver to patched version
npm update pac-resolver
# Or explicitly install the fixed version
npm install pac-resolver@^5.0.0
# Run npm audit to verify the vulnerability is resolved
npm audit
# For yarn users
yarn upgrade pac-resolver@^5.0.0
yarn audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
