The vulnerability can be exploited by remote attackers to run malicious code inside Node.js applications.
The flaw affects Pac-Resolver versions before 5.0.0, it received a CVSS score of 8.1.
The expert explained that PAC files can be exploited to escape the sandbox and run malicious code on the underlying operating system.
“A flaw was found in nodejs-pac-resolver. A remote code execution can occur with untrusted input, due to unsafe PAC file handling. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.” reads an advisory published by Red Hat.
The flaw was addressed in Pac-Resolver v5.0.0, Pac-Proxy-Agent v5.0.0, and Proxy-Agent v5.0.0. The development team addressed it using a real sandbox instead of the VM built-in module.
(SecurityAffairs – hacking, Pac-Resolver)