pug-code-gen@1.1.1

Vulnerabilities

1 via 1 paths

Dependencies

21

Source

npm

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
Status
  • 1
  • 0
  • 0

high severity

Remote Code Execution (RCE)

  • Vulnerable module: pug-code-gen
  • Introduced through: pug-code-gen@1.1.1

Detailed paths

  • Introduced through: pug-code-gen@1.1.1
    Remediation: Upgrade to pug-code-gen@2.0.3.

Overview

pug-code-gen is a Default code-generator for pug. It generates HTML via a JavaScript template function.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). If a remote attacker was able to control the pretty option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend.

Remediation

Upgrade pug-code-gen to version 2.0.3, 3.0.2 or higher.

References