Improper Control of Generation of Code ('Code Injection') Affecting org.webjars.npm:pug-code-gen package, versions [0,]
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGWEBJARSNPM-7086057
- published 24 May 2024
- disclosed 24 May 2024
- credit samuzora
Introduced: 24 May 2024
CVE-2024-36361 Open this link in a new tabHow to fix?
There is no fixed version for org.webjars.npm:pug-code-gen.
Overview
org.webjars.npm:pug-code-gen is a Default code-generator for pug. It generates HTML via a JavaScript template function.
Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') via the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked functions. An attacker can execute arbitrary JavaScript code by providing untrusted input.
Note:
These functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.
PoC
const express = require("express")
const pug = require("pug")
const runtimeWrap = require('pug-runtime/wrap');
const PORT = 3000
const app = express()
app.get("/", (req, res) => {
const out = runtimeWrap(pug.compileClient('string of pug', req.query))
res.send(out())
})
app.listen(PORT, () => {
console.log(`Server is running on port ${PORT}`)
})