CVE CyberSecurity Database News

CVE-2024-36361: Pug Template Engine Vulnerability Allows JavaScript Code Execution Through Functions

Poster -

A new cybersecurity vulnerability has been discovered, affecting the widely-used Pug template engine. Dubbed CVE-2024-36361, this vulnerability poses a significant risk for web applications that utilize the Pug template engine. This long read post will provide detailed information about this vulnerability, including code snippets, links to original references, and exploit details to help you better understand the issue and take appropriate steps to secure your application.

The Vulnerability

Pug, a popular template engine for Node.js, is used by countless developers to create dynamic, reusable HTML templates. However, Pug versions up to 3..2 contain a dangerous security flaw that can trigger JavaScript code execution. To exploit this vulnerability, an attacker would need to provide untrusted input as the name option for one of the following Pug functions:

compileClientWithDependenciesTracked()

It is important to note that these functions are primarily used for compiling Pug templates into JavaScript. As such, there should typically be no reason to allow untrusted input for these options. Nonetheless, the vulnerability exists, and it is crucial to protect your applications from potential attacks.

Code Snippet

const pug = require('pug');

// Untrusted input
const untrustedInput = ")}; alert("XSS vulnerability in Pug");//;

// The vulnerable function call
const compiledTemplate = pug.compileClient('html_template.pug', {
  name: untrustedInput
});

This code snippet demonstrates how an attacker could exploit the vulnerability by providing untrusted input for the name option. When the affected function is called with such input, it can trigger the JavaScript code execution and expose the application to potential attacks such as Cross-Site Scripting (XSS).

Original References

To learn more about the vulnerability and how it was discovered, please refer to the following sources:

1. Pug GitHub Repository: The official repository for the Pug project. The vulnerability was patched, and a new release, 3..3, is now available.
2. CVE-2024-36361 Details: Official CVE details page for this vulnerability, providing a high-level overview of the issue.

Exploit Details

To successfully exploit this vulnerability, an attacker would need to have control over the input provided to the affected Pug functions. This would typically involve the following steps:

1. Identifying an application that is using Pug versions up to 3..2 and has one of the vulnerable Pug functions exposed to receive untrusted input.
2. Crafting malicious JavaScript code and providing it as the input for the name option in one of the aforementioned Pug functions.
3. Triggering the function call with the malicious input, resulting in the execution of the attacker's code.

To protect your applications from this vulnerability, you should take the following steps

1. Update your Pug dependency to version 3..3 or later. This release patches the vulnerability and provides improved security. To update, modify the package.json file in your Node.js project to include the latest Pug version:

{
  "dependencies": {
    "pug": "^3..3"
  }
}

2. Ensure that your application does not accept untrusted input for the name option in the compileClient, compileFileClient, or compileClientWithDependenciesTracked functions. It is critical to validate and sanitize all user input entering your application to prevent potential attacks.

3. Regularly review and audit your application code and dependencies to ensure that no vulnerabilities or outdated packages are in use.

Conclusion

The CVE-2024-36361 vulnerability in Pug template engine versions up to 3..2 is a serious security issue that can lead to JavaScript code execution. To secure your applications, update to Pug 3..3 or later and follow the mitigation steps outlined in this post. Remember to always be vigilant when it comes to handling user input and keep your application dependencies up-to-date to prevent such vulnerabilities in the future.

Timeline

Published on: 05/24/2024 06:15:08 UTC
Last modified on: 08/02/2024 04:17:00 UTC