CVE-2021-21353

MEDIUM

Pug < 3.0.1 - Injection

Title source: rule

Description

Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the `pretty` option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend. This is fixed in version 3.0.1. This advisory applies to multiple pug packages including "pug", "pug-code-gen". pug-code-gen has a backported fix at version 2.0.3. This advisory is not exploitable if there is no way for un-trusted input to be passed to pug as the `pretty` option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.

Exploits (1)

nomisec WORKING POC 2 stars

by jinsu9758 · poc

https://github.com/jinsu9758/PUG-RCE-CVE-2021-21353-POC

View Code ZIP pw:eip

References (7)

[Patch, Third Party Advisory] https://github.com/pugjs/pug/commit/991e78f7c4220b2f8da042877c6f0ef5a4683be0

[Exploit, Patch, Third Party Advisory] https://github.com/pugjs/pug/issues/3312

[Patch, Third Party Advisory] https://github.com/pugjs/pug/pull/3314

[Release Notes, Third Party Advisory] https://github.com/pugjs/pug/releases/tag/pug%403.0.1

[Third Party Advisory] https://github.com/pugjs/pug/security/advisories/GHSA-p493-635q-r6gr

[Product, Third Party Advisory] https://www.npmjs.com/package/pug

[Product, Third Party Advisory] https://www.npmjs.com/package/pug-code-gen

Scores

CVSS v3 6.8

EPSS 0.0130

EPSS Percentile 79.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

Details

CWE

CWE-74 CWE-94

Status published

Products (4)

npm/pug 0 - 3.0.1npm

npm/pug-code-gen 0 - 2.0.3npm

pugjs/pug < 3.0.1

pugjs/pug-code-gen < 2.0.3

Published Mar 03, 2021

Tracked Since Feb 18, 2026