GHSA-3965-hpx2-q597
Suggest an improvement- Source
- https://github.com/advisories/GHSA-3965-hpx2-q597
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-3965-hpx2-q597/GHSA-3965-hpx2-q597.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-3965-hpx2-q597
- Aliases
- Related
- Published
- 2024-05-24T14:45:02Z
- Modified
- 2025-04-28T14:20:50Z
- Severity
-
- 6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- Pug allows JavaScript code execution if an application accepts untrusted input
- Details
-
Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the
compileClient,compileFileClient, orcompileClientWithDependenciesTrackedfunction. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers. - Database specific
{ "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-94" ], "nvd_published_at": "2024-05-24T06:15:08Z", "github_reviewed_at": "2024-05-24T14:45:02Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2024-36361
- https://github.com/pugjs/pug/pull/3428
- https://github.com/pugjs/pug/pull/3438
- https://github.com/pugjs/pug/commit/32acfe8f197dc44c54e8af32c7d7b19aa9d350fb
- https://github.com/Coding-Competition-Team/hackac-2024/tree/main/web/pug
- https://github.com/pugjs/pug
- https://github.com/pugjs/pug/blob/4767cafea0af3d3f935553df0f9a8a6e76d470c2/packages/pug/lib/index.js#L328
- https://github.com/pugjs/pug/releases/tag/pug%403.0.3
- https://pugjs.org/api/reference.html
- https://www.npmjs.com/package/pug-code-gen
Affected packages
npm / pug-code-gen
Package
- Name
- pug-code-gen
- View open source insights on deps.dev
- Purl
- pkg:npm/pug-code-gen
npm / pug
Package
- Name
- pug
- View open source insights on deps.dev
- Purl
- pkg:npm/pug