CVE-2021-21353
Remote Code Execution vulnerability in pug (npm)
What is CVE-2021-21353 About?
This vulnerability in `pug` versions prior to 3.0.1 allows for Remote Code Execution when an attacker controls the `pretty` option of the pug compiler. This can lead to arbitrary code execution on the server. Exploitation is possible if user-controlled input, such as query parameters, is spread into template inputs.
Affected Software
- pug
- <3.0.1
- pug-code-gen
- >3.0.0, <3.0.2
- <2.0.3
Technical Details
The vulnerability arises when a remote attacker can control the pretty option of the pug compiler. Specifically, if user-provided objects (e.g., from request query parameters) are directly spread into the template inputs without proper sanitization, the attacker can manipulate the value of the pretty option. By injecting malicious values into this option, the attacker can leverage an underlying mechanism within the pug compiler to execute arbitrary code on the Node.js backend. This indicates an insufficient sanitization or validation of the pretty option's input when it originates from an untrusted source, allowing for command injection or similar code execution paths.
What is the Impact of CVE-2021-21353?
Successful exploitation may allow attackers to execute arbitrary code with the privileges of the affected application. This can lead to full system compromise, data theft, or complete control over the compromised server.
What is the Exploitability of CVE-2021-21353?
Exploitation of this vulnerability requires the attacker to have control over the pretty option of the pug compiler, typically by submitting user-provided data that is then used directly in template compilation. The complexity is moderate, as it depends on how the application processes and passes user input to the pug compiler. There are no explicit authentication or privilege requirements to trigger the vulnerability, making it potentially exploitable by unauthenticated remote attackers. The attacker needs remote access to the application's interface that passes user input to the pug compiler. A primary risk factor is applications that spread user-provided objects, such as query parameters, directly into pug template inputs without proper validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| jinsu9758 | Link | PoC for CVE-2021-21353 |
What are the Available Fixes for CVE-2021-21353?
About the Fix from Resolved Security
Available Upgrade Options
- pug
- <3.0.1 → Upgrade to 3.0.1
- pug-code-gen
- <2.0.3 → Upgrade to 2.0.3
- pug-code-gen
- >3.0.0, <3.0.2 → Upgrade to 3.0.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.npmjs.com/package/pug-code-gen
- https://github.com/pugjs/pug/commit/991e78f7c4220b2f8da042877c6f0ef5a4683be0
- https://www.npmjs.com/package/pug
- https://www.npmjs.com/package/pug
- https://osv.dev/vulnerability/GHSA-p493-635q-r6gr
- https://github.com/pugjs/pug/commit/991e78f7c4220b2f8da042877c6f0ef5a4683be0
- https://github.com/pugjs/pug/releases/tag/pug%403.0.1
- https://github.com/pugjs/pug/pull/3314
- https://nvd.nist.gov/vuln/detail/CVE-2021-21353
- https://github.com/pugjs/pug/issues/3312
What are Similar Vulnerabilities to CVE-2021-21353?
Similar Vulnerabilities: CVE-2021-42007 , CVE-2022-21703 , CVE-2021-39145 , CVE-2021-32698 , CVE-2020-7768
