Lucene search

GitHub Advisory DatabaseGHSA-3965-HPX2-Q597

HistoryMay 24, 2024 - 2:45 p.m.

Pug allows JavaScript code execution if an application accepts untrusted input

2024-05-2414:45:02

CWE-94

GitHub Advisory Database

github.com

pug

javascript

code execution

untrusted input

function security

software vulnerability

7.6 High

AI Score

Confidence

Low

0 Low

EPSS

Percentile

0.0%

JSON

Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.

Affected configurations

Vulners

Node

pugjspugRange≤3.0.2node.js

pugjspug-code-genRange≤2.0.3node.js

CPENameOperatorVersion
pugle3.0.2
pug-code-genle2.0.3

CPE	Name	Operator	Version
	pug	le	3.0.2
	pug-code-gen	le	2.0.3

References

github.com/advisories/GHSA-3965-hpx2-q597

github.com/Coding-Competition-Team/hackac-2024/tree/main/web/pug

github.com/pugjs/pug/blob/4767cafea0af3d3f935553df0f9a8a6e76d470c2/packages/pug/lib/index.js#L328

github.com/pugjs/pug/commit/32acfe8f197dc44c54e8af32c7d7b19aa9d350fb

github.com/pugjs/pug/pull/3428

github.com/pugjs/pug/pull/3438

github.com/pugjs/pug/releases/tag/pug%403.0.3

nvd.nist.gov/vuln/detail/CVE-2024-36361

pugjs.org/api/reference.html

www.npmjs.com/package/pug-code-gen