Description
This affects the package pac-resolver before 5.0.0. This can occur when used with untrusted input, due to unsafe PAC file handling. **NOTE:** The fix for this vulnerability is applied in the node-degenerator library, a dependency written by the same maintainer.
References (5)
Core 5
Core References
Exploit, Patch, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JS-PACRESOLVER-1564857
Exploit, Patch, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1568506
Patch, Third Party Advisory x_refsource_misc
https://github.com/TooTallNate/node-degenerator/commit/ccc3445354135398b6eb1a04c7d27c13b833f2d5
Patch, Third Party Advisory x_refsource_misc
https://github.com/TooTallNate/node-degenerator/commit/9d25bb67d957bc2e5425fea7bf7a58b3fc64ff9e
Patch, Release Notes, Third Party Advisory x_refsource_misc
https://github.com/TooTallNate/node-pac-resolver/releases/tag/5.0.0
Scores
CVSS v3
8.1
EPSS
0.0100
EPSS Percentile
77.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
Status
published
Products (3)
npm/degenerator
0 - 3.0.1npm
npm/pac-resolver
0 - 5.0.0npm
pac-resolver_project/pac-resolver
< 5.0.0
Published
Aug 24, 2021
Tracked Since
Feb 18, 2026