CVE-2024-36361: Pug allows JavaScript code execution if an application accepts untrusted input
(updated )
Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.
References
- github.com/Coding-Competition-Team/hackac-2024/tree/main/web/pug
- github.com/advisories/GHSA-3965-hpx2-q597
- github.com/pugjs/pug
- github.com/pugjs/pug/blob/4767cafea0af3d3f935553df0f9a8a6e76d470c2/packages/pug/lib/index.js
- github.com/pugjs/pug/commit/32acfe8f197dc44c54e8af32c7d7b19aa9d350fb
- github.com/pugjs/pug/pull/3428
- github.com/pugjs/pug/pull/3438
- github.com/pugjs/pug/releases/tag/pug%403.0.3
- nvd.nist.gov/vuln/detail/CVE-2024-36361
- pugjs.org/api/reference.html
- www.npmjs.com/package/pug-code-gen
Code Behaviors & Features
Detect and mitigate CVE-2024-36361 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →