CVE-2021-21353

MEDIUM

pug < 3.0.1 - Remote Code Execution via Pretty Option Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-21353. PoCs published by jinsu9758.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2021-21353, a remote code execution vulnerability in PugJS. The exploit leverages template injection via the 'pretty' query parameter to execute arbitrary JavaScript code on the server.

Description

Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the `pretty` option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend. This is fixed in version 3.0.1. This advisory applies to multiple pug packages including "pug", "pug-code-gen". pug-code-gen has a backported fix at version 2.0.3. This advisory is not exploitable if there is no way for un-trusted input to be passed to pug as the `pretty` option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.

Exploits (1)

nomisec WORKING POC 2 stars

by jinsu9758 · poc

https://github.com/jinsu9758/PUG-RCE-CVE-2021-21353-POC

View Code ZIP pw:eip

This repository contains a functional exploit PoC for CVE-2021-21353, a remote code execution vulnerability in PugJS. The exploit leverages template injection via the 'pretty' query parameter to execute arbitrary JavaScript code on the server.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: PugJS (pug <= 3.0.0, pug-code-gen < 3.0.2)

No auth needed

Prerequisites: Vulnerable PugJS version · Exposed Express.js application using Pug templates

MITRE ATT&CK