Improper Control of Generation of Code ('Code Injection') Affecting pug-code-gen package, versions <3.0.3
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-PUGCODEGEN-7086056
- published 24 May 2024
- disclosed 24 May 2024
- credit samuzora
Introduced: 24 May 2024
CVE-2024-36361 Open this link in a new tabHow to fix?
Upgrade pug-code-gen
to version 3.0.3 or higher.
Overview
pug-code-gen is a Default code-generator for pug. It generates HTML via a JavaScript template function.
Affected versions of this package are vulnerable to Improper Control of Generation of Code ('Code Injection') via the name
option of the compileClient
, compileFileClient
, or compileClientWithDependenciesTracked
functions. An attacker can execute arbitrary JavaScript code by providing untrusted input.
Note:
These functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.
PoC
const express = require("express")
const pug = require("pug")
const runtimeWrap = require('pug-runtime/wrap');
const PORT = 3000
const app = express()
app.get("/", (req, res) => {
const out = runtimeWrap(pug.compileClient('string of pug', req.query))
res.send(out())
})
app.listen(PORT, () => {
console.log(`Server is running on port ${PORT}`)
})