Skip to main content

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CVE-2021-21353

Severity High
Score 9/10

Summary

In pug-code-gen before version 2.0.3 and 3.x before 3.0.2, if a remote attacker was able to control the `pretty` option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug-code-gen template inputs, it was possible for them to achieve remote code execution on the node.js backend. This advisory is not exploitable if there is no way for un-trusted input to be passed to pug-code-gen as the `pretty` option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.

  • HIGH
  • NETWORK
  • HIGH
  • CHANGED
  • NONE
  • NONE
  • HIGH
  • HIGH

CWE-74 - Injection

Listed as the number one web application security risk on the 'OWASP Top Ten', injection attacks are widespread and dangerous, especially in legacy applications. Injection attacks are a class of vulnerabilities in which an attacker injects untrusted data into a web application that gets processed by an interpreter, altering the program's execution. This can result in data loss/theft, loss of data integrity, denial of service, and even compromising the entire system.

Advisory Timeline

  • Published