Lucene search
AnonymousNODEJS:1644HistoryMar 03, 2021 - 2:16 a.m.
Remote Code Execution
2021-03-0302:16:22
Anonymous
www.npmjs.com
48
remote code execution
pug
pug-code-gen
upgrade
node.js
advisory
cve
EPSS
0.041
Percentile
92.2%
Overview
Impact
In affected versions of pug and pug-code-gen, if a remote attacker was able to control the pretty option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend.
Patches
Upgrade to [email protected] or [email protected] or [email protected], which correctly sanitise the parameter.
Workarounds
If there is no way for un-trusted input to be passed to pug as the pretty option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.
Recommendation
Upgrade pug-code-gen to version 2.0.3 or 3.0.2.
References
Related
prion
prion
Remote code execution
2021-03-03 02:15:00
veracode
veracode
Remote Code Execution (RCE)
2021-03-04 02:57:09
cvelist
cvelist
CVE-2021-21353 Remote code execution in pug
2021-03-03 01:50:18
osv
osv
CGA-j4c8-m5vj-j3jg
2024-09-25 05:26:35
CGA-cp8p-w2m9-jwgg
2024-09-25 05:21:05
Remote code execution via the `pretty` option.
2021-03-03 02:03:52
ibm
ibm
nodejs
nodejs
Remote Code Execution
2021-03-03 02:09:54
redhatcve
redhatcve
CVE-2021-21353
2022-12-01 20:26:05
cve
cve
CVE-2021-21353
2021-03-03 02:15:13
nvd
nvd
CVE-2021-21353
2021-03-03 02:15:13
github
github
Remote code execution via the `pretty` option.
2021-03-03 02:03:52