Proxy-agent has released a new version, 6.1.0, building upon the existing 6.0.0. Both versions serve the core purpose of mapping proxy protocols to http.Agent implementations, simplifying the process of utilizing various proxy types like HTTP, HTTPS, PAC, and SOCKS within Node.js applications. The dependency list remains identical between the two, including crucial modules like debug for troubleshooting, lru-cache for performance optimization, and the suite of protocol-specific agents (http-proxy-agent, https-proxy-agent, socks-proxy-agent, pac-proxy-agent).
The primary distinction lies in the dist object, revealing a slight increase in the unpacked size from 19625 bytes in version 6.0.0 to 20791 bytes in version 6.1.0. This increase, along with the later release date, often signals the inclusion of bug fixes, performance enhancements, or minor feature additions. While the core functionality and dependency structure appear unchanged, developers upgrading to 6.1.0 can anticipate a refined and more robust experience.
For developers using proxy-agent, this library removes the complexity of directly managing proxy connections. By automatically detecting and utilizing environment variables like http_proxy, https_proxy and no_proxy the integration of proxy setups becomes seamless even in flexible environments. New features in 6.1.0 could offer subtle improvements such as enhanced support for specific environments, better error handling, or subtle security patches, offering added reliability for applications relying on proxy configurations. Always consult the changelog.
All the vulnerabilities related to the version 6.1.0 of the package
vm2 Sandbox Escape vulnerability
In vm2 for versions up to 3.9.19, Promise handler sanitization can be bypassed, allowing attackers to escape the sandbox and run arbitrary code.
Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox.
None.
None.
PoC - https://gist.github.com/leesh3288/f693061e6523c97274ad5298eb2c74e9
If you have any questions or comments about this advisory:
Thanks to Xion (SeungHyun Lee) of KAIST Hacking Lab for disclosing this vulnerability.
vm2 Sandbox Escape vulnerability
In vm2 for versions up to 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code.
Remote Code Execution, assuming the attacker has arbitrary code execution primitive inside the context of vm2 sandbox.
None.
None.
PoC is to be disclosed on or after the 5th of September.
While this advisory might look similar to CVE-2023-37466, it is a completely different way of escaping the sandbox.
If you have any questions or comments about this advisory:
Thanks to Xion (SeungHyun Lee) of KAIST Hacking Lab for disclosing this vulnerability.
ip SSRF improper categorization in isPublic
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.
