Main Vulnerability Database Vulnerabilities #VU103495

#VU103495 Code Injection in Pug - CVE-2024-36361

Published: February 3, 2025 / Updated: February 7, 2025

Vulnerability identifier: #VU103495

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2024-36361

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Pug

Software vendor:
Pugjs

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to Pug allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.

Remediation

Install updates from vendor's website.

External links

https://github.com/pugjs/pug/pull/3428
https://pugjs.org/api/reference.html

#VU103495 Code Injection in Pug - CVE-2024-36361

Description

Remediation

External links

Please verify you're human