CVE-2021-21353

Description

### Impact If a remote attacker was able to control the `pretty` option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend. ### Patches Upgrade to `[email protected]` or `[email protected]` or `[email protected]`, which correctly sanitise the parameter. ### Workarounds If there is no way for un-trusted input to be passed to pug as the `pretty` option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade. ### References Original report: https://github.com/pugjs/pug/issues/3312 ### For more information If you believe you have found other vulnerabilities, please **DO NOT** open an issue. Instead, you can follow the instructions in our [Security Policy](https://github.com/pugjs/pug/blob/master/SECURITY.md)

How to fix CVE-2021-21353

To remediate CVE-2021-21353, upgrade the affected package to a fixed version below.

• —upgrade to 3.0.1 or later
• —upgrade to 2.0.3 or later

Is CVE-2021-21353 being exploited?

Low — EPSS is 1.8%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0, < 3.0.1
• from 0, < 2.0.3

CVSS scores

References (8)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-21353
• WEBgithub.com/pugjs/pug/commit/991e78f7c4220b2f8da042877c6f0ef5a4683be0
• WEBgithub.com/pugjs/pug/issues/3312
• WEBgithub.com/pugjs/pug/pull/3314
• WEB