Lucene search

GoogleOSV:GHSA-3965-HPX2-Q597

HistoryMay 24, 2024 - 2:45 p.m.

Pug allows JavaScript code execution if an application accepts untrusted input

2024-05-2414:45:02

Google

osv.dev

pug

javascript

code execution

untrusted input

compileclient

compilefileclient

compileclientwithdependenciestracked

templates

7.3 High

AI Score

Confidence

High

0 Low

EPSS

Percentile

0.0%

JSON

Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.

CPENameOperatorVersion
pug-code-genlt3.0.3
puglt3.0.3

CPE	Name	Operator	Version
	pug-code-gen	lt	3.0.3
	pug	lt	3.0.3

References

github.com/Coding-Competition-Team/hackac-2024/tree/main/web/pug

github.com/pugjs/pug

github.com/pugjs/pug/blob/4767cafea0af3d3f935553df0f9a8a6e76d470c2/packages/pug/lib/index.js#L328

github.com/pugjs/pug/commit/32acfe8f197dc44c54e8af32c7d7b19aa9d350fb

github.com/pugjs/pug/pull/3428

github.com/pugjs/pug/pull/3438

github.com/pugjs/pug/releases/tag/pug%403.0.3

nvd.nist.gov/vuln/detail/CVE-2024-36361

pugjs.org/api/reference.html

www.npmjs.com/package/pug-code-gen