Pug allows JavaScript code execution if an application accepts untrusted input
High severity
GitHub Reviewed
Published
May 24, 2024
to the GitHub Advisory Database
•
Updated May 28, 2024
Description
Published by the National Vulnerability Database
May 24, 2024
Published to the GitHub Advisory Database
May 24, 2024
Reviewed
May 24, 2024
Last updated
May 28, 2024
Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the
compileClient
,compileFileClient
, orcompileClientWithDependenciesTracked
function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.References