Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient
, compileFileClient
, or compileClientWithDependenciesTracked
function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.
CPE | Name | Operator | Version |
---|---|---|---|
pug | le | 3.0.2 | |
pug-code-gen | le | 2.0.3 |
github.com/advisories/GHSA-3965-hpx2-q597
github.com/Coding-Competition-Team/hackac-2024/tree/main/web/pug
github.com/pugjs/pug/blob/4767cafea0af3d3f935553df0f9a8a6e76d470c2/packages/pug/lib/index.js#L328
github.com/pugjs/pug/commit/32acfe8f197dc44c54e8af32c7d7b19aa9d350fb
github.com/pugjs/pug/pull/3428
github.com/pugjs/pug/pull/3438
github.com/pugjs/pug/releases/tag/pug%403.0.3
nvd.nist.gov/vuln/detail/CVE-2024-36361
pugjs.org/api/reference.html
www.npmjs.com/package/pug-code-gen