Description
If a remote attacker was able to control the pretty option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend.
Recommendation
Update the pug package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.0.1
- Patched version(s): 3.0.1
References
Related Issues
- Nuxt vulnerable to remote code execution via the browser when running the test locally - CVE-2024-34344
- Lobe Chat Desktop vulnerable to Remote Code Execution via XSS in Chat Messages - CVE-2025-59417
- FUXA Vulnerable to Unauthenticated Remote Code Execution via Script Test Mode Authorization Bypass - CVE-2026-43947
- Signal K Server Vulnerable to Remote Code Execution via Malicious npm Package - CVE-2025-68619
You might also like:
- Tags:
- npm
- pug
Anything's wrong? Let us know Last updated on May 28, 2025