CVE-2021-23406: Improper Control of Generation of Code ('Code Injection')
(updated )
This affects the package pac-resolver before 5.0.0. This can occur when used with untrusted input, due to unsafe PAC file handling. NOTE: The fix for this vulnerability is applied in the node-degenerator library, a dependency written by the same maintainer.
References
- github.com/TooTallNate/node-degenerator/commit/9d25bb67d957bc2e5425fea7bf7a58b3fc64ff9e
- github.com/TooTallNate/node-degenerator/commit/ccc3445354135398b6eb1a04c7d27c13b833f2d5
- github.com/TooTallNate/node-pac-resolver/releases/tag/5.0.0
- github.com/advisories/GHSA-9j49-mfvp-vmhm
- nvd.nist.gov/vuln/detail/CVE-2021-23406
- snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1568506
- snyk.io/vuln/SNYK-JS-PACRESOLVER-1564857
Detect and mitigate CVE-2021-23406 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →