Description
If a remote attacker was able to control the pretty option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend.
Recommendation
Update the pug package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.0.1
- Patched version(s): 3.0.1
References
Related Issues
- Angular Expressions - Remote Code Execution - CVE-2021-21277
- seroval Affected by Remote Code Execution via JSON Deserialization - CVE-2026-23737
- Lobe Chat Desktop vulnerable to Remote Code Execution via XSS in Chat Messages - CVE-2025-59417
- Remote code execution in Eclipse Theia - CVE-2021-34435
- Tags:
- npm
- pug
Anything's wrong? Let us know Last updated on May 28, 2025