CVE-2021-21353

Name of the Vulnerable Software and Affected Versions pug versions prior to 3.0.1 pug-code-gen versions prior to 2.0.3

Description The issue is related to the insufficient neutralization of special elements in the output of the Pug HTML preprocessor, specifically in the VisitMixin and visitMixinBlock functions. This can allow a remote attacker to execute arbitrary code if they can control the pretty option of the pug compiler, for example, by spreading a user-provided object into the pug template inputs.

Recommendations For pug versions prior to 3.0.1, upgrade to version 3.0.1 or later. For pug-code-gen versions prior to 2.0.3, upgrade to version 2.0.3 or later. As a temporary workaround, consider compiling templates in advance before applying user input to them, to prevent un-trusted input from being passed to pug as the pretty option.