This popular NPM package has a security flaw

Pac-resolver, an NPM library with more than 2.7 million weekly downloads has been noted to have a major security flaw.

Photo by Clint Patterson on Unsplash

What is pac-resolver?

PAC resolver is library that allows developers to configure proxy settings for NodeJS apps.

This popular NPM package had a major flaw that could have allowed an attacker on a local network to remotely run malicious code inside a Node.js process when a client tried to send a HTTP request.

Developers using Pac-resolver on their Node.js apps need to confirm that they’re using the latest version (5.0.0) and to update, if they’re yet to, as soon as possible to prevent attacks.

If you’re using this library and have not updated it yet, you’re mostly likely to be at risk if:

• You have used PAC files for proxy configuration
• You’re acquiring your operating system’s proxy configuration in NodeJS
• And, if you have a proxy configuration from a third-party that is not trusted.