CVE-2024-36361

Name of the Vulnerable Software and Affected Versions Pug versions 3.0.2 and earlier

Description The issue is related to the incorrect management of code generation in the Pug template engine, specifically in the compileClient, compileFileClient, and compileClientWithDependenciesTracked functions. These functions are used for compiling Pug templates into JavaScript. If an application accepts untrusted input for the name option of these functions, it may allow an attacker to execute arbitrary JavaScript code. Typically, there would be no reason to allow untrusted callers for these functions.

Recommendations For Pug versions 3.0.2 and earlier, consider disabling the compileClient, compileFileClient, and compileClientWithDependenciesTracked functions until a patch is available to prevent potential code execution. Restrict access to these functions to minimize the risk of exploitation. Avoid using untrusted input for the name option of these functions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.