Pug allows JavaScript code execution if an application accepts untrusted input

Severity:: Medium

Description

Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.

Recommendation

Update the pug package to the latest compatible version. Followings are version details:

Affected version(s): <= 3.0.2
Patched version(s): 3.0.3

References

GHSA-3965-hpx2-q597
pugjs.org
www.npmjs.com
CVE-2024-36361
CWE-94
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Trix Editor Arbitrary Code Execution Vulnerability - CVE-2024-34341
PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF - CVE-2024-4367
MailDev Remote Code Execution - CVE-2024-27448
FUXA allows Remote Code Execution (RCE) via the project import functionality. - CVE-2025-69983

Tags:: npm; pug

Anything's wrong? Let us know Last updated on April 28, 2025