Pug allows JavaScript code execution if an application accepts untrusted input

Description

Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.

Recommendation

Update the pug package to the latest compatible version. Followings are version details:

• Affected version(s): <= 3.0.2
• Patched version(s): 3.0.3

References

• GHSA-3965-hpx2-q597
• pugjs.org
• www.npmjs.com
• CVE-2024-36361
• CWE-94
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• happy-dom allows for server side code to be executed by a <script> tag - CVE-2024-51757
• happy-dom's `--disallow-code-generation-from-strings` is not sufficient for isolating untrusted JavaScript - CVE-2025-62410
• ejs is vulnerable to remote code execution due to weak input validation - CVE-2017-1000228
• HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft - CVE-2026-46496

You might also like:

How to Secure your NodeJs Express Javascript Application - part 2

How to Secure your NodeJs Express Javascript Application - part 1

SmartScanner 2.3: Smarter JavaScript Detection, Faster Scans, and Powerful CLI Enhancements

Tags:

npm

pug