CVE-2024-36361 – pug-code-gen

Package

Manager: npm
Name: pug-code-gen
Vulnerable Version: >=0 <3.0.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00148 pctl0.35878

Details

Pug allows JavaScript code execution if an application accepts untrusted input Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the `compileClient`, `compileFileClient`, or `compileClientWithDependenciesTracked` function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.

Metadata

Created: 2024-05-24T14:45:02Z
Modified: 2025-04-28T14:20:50Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-3965-hpx2-q597/GHSA-3965-hpx2-q597.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-3965-hpx2-q597
Finding: F422
Auto approve: 1