Pug allows JavaScript code execution if an application accepts untrusted input
- Severity:
- Medium
Description
Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.
Recommendation
Update the pug package to the latest compatible version. Followings are version details:
- Affected version(s): <= 3.0.2
- Patched version(s): 3.0.3
References
Related Issues
- Regular Expression Denial of Service (ReDoS) in lodash (GHSA-29mw-wpgm-hmr9) 3 - CVE-2020-28500
- Regular Expression Denial of Service (ReDoS) in lodash (GHSA-x5rq-j2xg-h7qm) - CVE-2019-1010266
- Lobe Chat Desktop vulnerable to Remote Code Execution via XSS in Chat Messages - CVE-2025-59417
- Payload's SQLite adapter Session Fixation vulnerability (GHSA-26rv-h2hf-3fw4) 2 - CVE-2025-4644
- Tags:
- npm
- pug
Anything's wrong? Let us know Last updated on April 28, 2025