CVE-2024-36361
📋 TL;DR
CVE-2024-36361 allows remote code execution in Pug template engine when untrusted input is passed to specific compilation functions. Applications using Pug's compileClient, compileFileClient, or compileClientWithDependenciesTracked functions with user-controlled input are vulnerable. This primarily affects developers who misuse these compilation functions in production applications.
💻 Affected Systems
- Pug (formerly Jade) template engine
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise with arbitrary code execution, data theft, and lateral movement within the network
Likely Case
Limited code execution within the application context, potentially leading to data exposure or service disruption
If Mitigated
No impact if proper input validation prevents untrusted data from reaching vulnerable functions
🎯 Exploit Status
Exploitation requires understanding of Pug's compilation functions and ability to inject into specific parameters
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.0.3 and later
Vendor Advisory: https://github.com/pugjs/pug/pull/3428
Restart Required: Yes
Instructions:
1. Update package.json to specify pug version 3.0.3 or higher. 2. Run 'npm update pug' or 'yarn upgrade pug'. 3. Restart your Node.js application.
🔧 Temporary Workarounds
Input validation and sanitization
allValidate and sanitize all input passed to Pug compilation functions
Function restriction
allAvoid using compileClient, compileFileClient, or compileClientWithDependenciesTracked with any user-controlled input
🧯 If You Can't Patch
- Implement strict input validation to ensure no untrusted data reaches vulnerable compilation functions
- Use application-level firewalls or WAF rules to detect and block suspicious template compilation patterns
🔍 How to Verify
Check if Vulnerable:
Check if your application uses compileClient, compileFileClient, or compileClientWithDependenciesTracked with any user inputCheck Version:
npm list pug | grep pugVerify Fix Applied:
Verify pug version is 3.0.3 or higher using 'npm list pug' or check package.json📡 Detection & Monitoring
Log Indicators:
- Unusual template compilation errors
- Suspicious JavaScript execution in template contexts
Network Indicators:
- Unexpected template compilation requests
- Abnormal payloads in template-related API calls
SIEM Query:
source="application.log" AND ("compileClient" OR "compileFileClient" OR "compileClientWithDependenciesTracked") AND user_input=*