Proxy-agent is a valuable Node.js package designed to simplify the process of using various proxy protocols with http.Agent implementations, offering developers a flexible solution for managing network requests via proxies. Comparing versions 3.0.0 and 3.0.1 reveals a subtle but important update primarily affecting the socks-proxy-agent dependency. In version 3.0.0, socks-proxy-agent is locked at version 3.0.0, while in version 3.0.1, it's updated to version 4.0.1. This shift to socks-proxy-agent v4.0.1 is the key difference between the two releases.
For developers, this means that upgrading to proxy-agent v3.0.1 brings in the latest features, bug fixes, and performance improvements available in socks-proxy-agent v4.0.1. It is essential to review changelogs of socks-proxy-agent for potential breaking changes depending on the usage.
Both versions share the same core functionality, including support for debugging and caching, as well as seamless integration with common proxy environment variables and PAC file configurations. Supporting common proxy protocols like HTTP, HTTPS, and SOCKS (indicated by dependencies http-proxy-agent,https-proxy-agent and socks-proxy-agent), making this package a comprehensive choice for developers. They use agent-base to do the heavy lifting of creating http agents. This small change, however, might bring significant improvements in handling SOCKS proxies, possibly offering enhanced security, better compatibility, or improved performance.
All the vulnerabilities related to the version 3.0.1 of the package
Code Injection in pac-resolver
This affects the package pac-resolver before 5.0.0. This can occur when used with untrusted input, due to unsafe PAC file handling. NOTE: The fix for this vulnerability is applied in the node-degenerator library, a dependency written by the same maintainer.
Code Injection in pac-resolver
This affects the package pac-resolver before 5.0.0. This can occur when used with untrusted input, due to unsafe PAC file handling. NOTE: The fix for this vulnerability is applied in the node-degenerator library, a dependency written by the same maintainer.
ip SSRF improper categorization in isPublic
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
Improper parsing of octal bytes in netmask
Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.
:exclamation: NOTE: The fix for this issue was incomplete. A subsequent fix was made in version 2.0.1 which was assigned CVE-2021-29418 / GHSA-pch5-whg9-qr2r. For complete protection from this vulnerability an upgrade to version 2.0.1 or later is recommended.
netmask npm package mishandles octal input data
The netmask package before 2.0.1 for Node.js mishandles certain unexpected characters in an IP address string, such as an octal digit of 9. This (in some situations) allows attackers to bypass access control that is based on IP addresses. NOTE: this issue exists because of an incomplete fix for CVE-2021-28918.
