Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS0zOTY1LWhweDItcTU5N84AA8iR

Pug allows JavaScript code execution if an application accepts untrusted input

Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.

Permalink: https://github.com/advisories/GHSA-3965-hpx2-q597
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zOTY1LWhweDItcTU5N84AA8iR
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 7 months ago
Updated: 5 months ago


CVSS Score: 6.8
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Identifiers: GHSA-3965-hpx2-q597, CVE-2024-36361
References: Repository: https://github.com/pugjs/pug
Blast Radius: 36.5

Affected Packages

npm:pug
Dependent packages: 5,864
Dependent repositories: 231,297
Downloads: 6,658,187 last month
Affected Version Ranges: <= 3.0.2
Fixed in: 3.0.3
All affected versions: 0.0.0, 0.1.0, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 3.0.0, 3.0.1, 3.0.2
All unaffected versions: 3.0.3
npm:pug-code-gen
Dependent packages: 52
Dependent repositories: 164,548
Downloads: 6,669,769 last month
Affected Version Ranges: <= 2.0.3
Fixed in: 3.0.3
All affected versions: 0.0.0, 0.0.5, 0.0.6, 0.0.7, 1.0.0, 1.0.1, 1.1.0, 1.1.1, 2.0.0, 2.0.1, 2.0.2, 2.0.3
All unaffected versions: 3.0.0, 3.0.1, 3.0.2, 3.0.3