![NPM package with 3 million weekly downloads had a severe vulnerability](https://cdn.arstechnica.net/wp-content/uploads/2021/02/software-code-800x534.jpg)

[Enlarge](https://cdn.arstechnica.net/wp-content/uploads/2021/02/software-code.jpg) (credit: Getty Images)

Popular NPM package "pac-resolver" has fixed a severe remote code execution (RCE) flaw.

The pac-resolver package receives [over 3 million](https://www.npmjs.com/package/pac-resolver) weekly downloads, extending this vulnerability to Node.js applications relying on the open source dependency. Pac-resolver touts itself as a module that accepts JavaScript proxy configuration files and generates a function for your app to map certain domains to use a proxy.

To proxy or not to proxy
------------------------

This week, developer [Tim Perry](https://twitter.com/pimterry) disclosed a high-severity flaw in pac-resolver that can enable threat actors on the local network to run arbitrary code within your Node.js process whenever it attempts to make an HTTP request.

[Read 15 remaining paragraphs](https://arstechnica.com/?p=1791497#p3) | [Comments](https://arstechnica.com/?p=1791497&comments=1)