CVE-2024-36361 — Pug allows JavaScript code execution if an application accepts untrusted input

Description

Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the `compileClient`, `compileFileClient`, or `compileClientWithDependenciesTracked` function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.

How to fix CVE-2024-36361

To remediate CVE-2024-36361, upgrade the affected package to a fixed version below.

—upgrade to 3.0.3 or later
—upgrade to 3.0.3 or later

Is CVE-2024-36361 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 3.0.3
from 0, < 3.0.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.8	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

References (10)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-36361
PATCHgithub.com/pugjs/pug
WEBgithub.com/Coding-Competition-Team/hackac-2024/tree/main/web/pug
WEBgithub.com/pugjs/pug/blob/4767cafea0af3d3f935553df0f9a8a6e76d470c2/packages/pug/lib/index.js#L328