Pug allows JavaScript code execution if an application accepts untrusted input

Severity:: Medium

Description

Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.

Recommendation

Update the pug package to the latest compatible version. Followings are version details:

Affected version(s): <= 3.0.2
Patched version(s): 3.0.3

References

GHSA-3965-hpx2-q597
pugjs.org
www.npmjs.com
CVE-2024-36361
CWE-94
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

JSONPath Plus allows Remote Code Execution - CVE-2025-1302
Remote Code Execution on click of <a> Link in markdown preview - CVE-2024-49362
Angular Expressions - Remote Code Execution when using locals - CVE-2024-54152
MailDev Remote Code Execution - CVE-2024-27448

Tags:: npm; pug

Anything's wrong? Let us know Last updated on April 28, 2025