better-docs@1.4.7

Vulnerabilities

1 via 1 paths

Dependencies

152

Source

npm

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
Status
  • 1
  • 0
  • 0

high severity

Remote Code Execution (RCE)

  • Vulnerable module: pug
  • Introduced through: vue-docgen-api@3.26.0

Detailed paths

  • Introduced through: better-docs@1.4.7 vue-docgen-api@3.26.0 pug@2.0.4
    Remediation: Upgrade to vue-docgen-api@4.29.1.

Overview

pug is an A clean, whitespace-sensitive template language for writing HTML

Affected versions of this package are vulnerable to Remote Code Execution (RCE). If a remote attacker was able to control the pretty option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend.

Remediation

Upgrade pug to version 3.0.1 or higher.

References