Pug allows JavaScript code execution if an application accepts untrusted input
- Severity:
- Medium
Description
Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.
Recommendation
Update the pug package to the latest compatible version. Followings are version details:
- Affected version(s): <= 3.0.2
- Patched version(s): 3.0.3
References
Related Issues
- angular-base64-upload vulnerable to unauthenticated remote code execution - CVE-2024-42640
- Handling untrusted input can result in a crash, leading to loss of availability / denial of service - CVE-2024-30253
- Nuxt vulnerable to remote code execution via the browser when running the test locally - CVE-2024-34344
- ejs is vulnerable to remote code execution due to weak input validation - CVE-2017-1000228
You might also like:
- Tags:
- npm
- pug
Anything's wrong? Let us know Last updated on April 28, 2025


