Homepage
About Snyk

pupa@1.0.0 vulnerabilities

Simple micro templating

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the pupa package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Cross-site Scripting (XSS)

pupa is a Simple micro template engine.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to a lack of escaping for HTML entities. This means that output rendered by browsers is vulnerable to code injection.

POC

const pupa = require('pupa');
 
document.write(pupa('Example payload {payload} is {phone.mobile}', {
    payload: '<script>alert(document.domain)</script>',
}));

How to fix Cross-site Scripting (XSS)?

Upgrade pupa to version 2.0.0 or higher.

<2.0.0
Go back to all versions of this package