SCA: security update for pug, pug-code-gen (GHSA-p493-635q-r6gr)

critical Tenable Cloud Security Plugin ID 417266

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a
remote attacker was able to control the `pretty` option of the pug compiler, e.g. if you spread a user
provided object such as the query parameters of a request into the pug template inputs, it was possible
for them to achieve remote code execution on the node.js backend. This is fixed in version 3.0.1. This
advisory applies to multiple pug packages including "pug", "pug-code-gen". pug-code-gen has a backported
fix at version 2.0.3. This advisory is not exploitable if there is no way for un-trusted input to be
passed to pug as the `pretty` option, e.g. if you compile templates in advance before applying user input
to them, you do not need to upgrade. (CVE-2021-21353)

See Also

https://github.com/advisories/GHSA-p493-635q-r6gr

Plugin Details

Severity: Critical

ID: 417266

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7.7

Percentile: 99.31

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2021-21353

CVSS v3

Risk Factor: Critical

Base Score: 9

Temporal Score: 8.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/3/2021

Vulnerability Publication Date: 3/3/2021

Reference Information

CVE: CVE-2021-21353