Description
If a remote attacker was able to control the pretty option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend.
Recommendation
Update the pug package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.0.1
- Patched version(s): 3.0.1
References
Related Issues
- Signal K Server Vulnerable to Remote Code Execution via Malicious npm Package - CVE-2025-68619
- FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration - CVE-2026-25894
- Nuxt vulnerable to remote code execution via the browser when running the test locally - CVE-2024-34344
- FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API - CVE-2026-25895
- Tags:
- npm
- pug
Anything's wrong? Let us know Last updated on May 28, 2025