CVE-2021-21353 – pug-code-gen

Package

Manager: npm
Name: pug-code-gen
Vulnerable Version: >=0 <2.0.3 || >=3.0.0 <3.0.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00934 pctl0.7527

Details

Remote code execution via the `pretty` option. ### Impact If a remote attacker was able to control the `pretty` option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend. ### Patches Upgrade to `pug@3.0.1` or `pug-code-gen@3.0.2` or `pug-code-gen@2.0.3`, which correctly sanitise the parameter. ### Workarounds If there is no way for un-trusted input to be passed to pug as the `pretty` option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade. ### References Original report: https://github.com/pugjs/pug/issues/3312 ### For more information If you believe you have found other vulnerabilities, please **DO NOT** open an issue. Instead, you can follow the instructions in our [Security Policy](https://github.com/pugjs/pug/blob/master/SECURITY.md)

Metadata

Created: 2021-03-03T02:03:52Z
Modified: 2025-04-16T22:09:45Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-p493-635q-r6gr/GHSA-p493-635q-r6gr.json
CWE IDs: ["CWE-74", "CWE-94"]
Alternative ID: GHSA-p493-635q-r6gr
Finding: F184
Auto approve: 1