Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zOTY1LWhweDItcTU5N84AA8iR
Pug allows JavaScript code execution if an application accepts untrusted input
Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient
, compileFileClient
, or compileClientWithDependenciesTracked
function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zOTY1LWhweDItcTU5N84AA8iR
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 7 months ago
Updated: 5 months ago
CVSS Score: 6.8
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Identifiers: GHSA-3965-hpx2-q597, CVE-2024-36361
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-36361
- https://github.com/pugjs/pug/pull/3428
- https://github.com/Coding-Competition-Team/hackac-2024/tree/main/web/pug
- https://github.com/pugjs/pug/blob/4767cafea0af3d3f935553df0f9a8a6e76d470c2/packages/pug/lib/index.js#L328
- https://pugjs.org/api/reference.html
- https://www.npmjs.com/package/pug-code-gen
- https://github.com/pugjs/pug/pull/3438
- https://github.com/pugjs/pug/commit/32acfe8f197dc44c54e8af32c7d7b19aa9d350fb
- https://github.com/pugjs/pug/releases/tag/pug%403.0.3
- https://github.com/advisories/GHSA-3965-hpx2-q597
Blast Radius: 36.5
Affected Packages
npm:pug
Dependent packages: 5,864Dependent repositories: 231,297
Downloads: 6,658,187 last month
Affected Version Ranges: <= 3.0.2
Fixed in: 3.0.3
All affected versions: 0.0.0, 0.1.0, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 3.0.0, 3.0.1, 3.0.2
All unaffected versions: 3.0.3
npm:pug-code-gen
Dependent packages: 52Dependent repositories: 164,548
Downloads: 6,669,769 last month
Affected Version Ranges: <= 2.0.3
Fixed in: 3.0.3
All affected versions: 0.0.0, 0.0.5, 0.0.6, 0.0.7, 1.0.0, 1.0.1, 1.1.0, 1.1.1, 2.0.0, 2.0.1, 2.0.2, 2.0.3
All unaffected versions: 3.0.0, 3.0.1, 3.0.2, 3.0.3