Security Vulnerability : pac-resolver

[Adhikaripr]

Introduced through: docusign-esign@6.4.0 › superagent-proxy@2.1.0 › proxy-agent@4.0.1 › pac-proxy-agent@4.1.0 › pac-resolver@4.2.0

Overview
Affected versions of this package are vulnerable to Remote Code Execution (RCE). This can occur when used with untrusted input, due to unsafe PAC file handling.

In order to exploit this vulnerability in practice, this either requires an attacker on your local network, a specific vulnerable configuration, or some second vulnerability that allows an attacker to set your config values.
https://security.snyk.io/vuln/SNYK-JS-PACRESOLVER-1564857

Remediation
Upgrade pac-resolver to version 5.0.0 or higher.

[cbsdsdevsup]

Hi Adhikaripr,

Thank you for contacting DocuSign Developer Support. 
We have raised this internally and will let you know as soon as we have an update.

Best regards,
Conar | DocuSign Developer Support

[OscarGodson]

Any updates on this? In this particular case is this not an issue or if it's an issue are there recommendation temporary remediations?

[annesophien]

Any updates on this? In this particular case is this not an issue or if it's an issue are there recommendation temporary remediations?

Hi @OscarGodson, our team has a ticket to address the security vulnerability introduced by pac-resolver and have prioritized the fix in our next sprint. In the meantime, you and can remediate the vulnerability by upgrading pac-resolver to version 5.0.0 or higher.

[OscarGodson]

We don't use pac resolver so it's not in our package.json so I'm not sure how to upgrade it.

[cbsdsdevsup]

Hi @OscarGodson ,

It is actually "superagent-proxy@2.1.0" (in the package.json) whose dependencies (proxy-agent@4.0.1 -> pac-proxy-agent@4.1.0 -> pac-resolver@4.2.0) uses pac-resolver.
So you can either upgrade superagent-proxy to 3.0.0 or downgrade the docusign-esign package to 6.3.0.

package.json
"superagent-proxy": "^2.0.0"

Let us know if you are happy for us to close this case.

Best regards,
Conar | DocuSign Developer Support

[juniorp07]

Is there an update regarding the pac-resolver vulnerability. Can we get a status update on the fix? Has it been addressed in the recent sprint as mentioned?

Thanks for keeping us informed.

[comp615]

@annesophien @cbsdsdevsup this seems like a pretty straight forward fix. But it looks like the pac-resolver fix was deployed and then rolled back. Do you have an update on what's going on here? It's taken 3 months to resolve which is a little disconcerting.

[joaomvfsantos]

It seems that this was fixed on 6.3.0 and is back on 6.5.1.

[sonawane-sanket]

Hello All,

We've removed the vulnerability and You can now access the updated version, here 6.6.0-rc2.

Please find further updates in this issue

[sonawane-sanket]

We're excited to announce the release of the public version 7.0.0.
We encourage you to upgrade and check out the changelog here.