CVE-2021-21353 in pug
Summary
by MITRE • 03/03/2021
Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the `pretty` option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend. This is fixed in version 3.0.1. This advisory applies to multiple pug packages including "pug", "pug-code-gen". pug-code-gen has a backported fix at version 2.0.3. This advisory is not exploitable if there is no way for un-trusted input to be passed to pug as the `pretty` option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/17/2025
CVE-2021-21353 represents a critical remote code execution vulnerability affecting the Pug template engine, a widely used high-performance templating solution for Node.js applications. This vulnerability stems from improper input validation within the pug compiler's handling of the `pretty` option, creating a dangerous attack vector where remote adversaries can manipulate template compilation behavior through user-controlled data. The flaw specifically manifests when user-provided input is directly spread into pug template compilation parameters, allowing attackers to inject malicious code that executes on the backend Node.js server. This vulnerability is classified under CWE-94, which denotes "Improper Control of Generation of Code," indicating a fundamental failure in code generation controls that enables arbitrary code execution.
The technical exploitation of this vulnerability occurs through the manipulation of the `pretty` compilation option, which is designed to format generated JavaScript code for better readability. When untrusted input flows directly into this parameter, the pug compiler's internal processing logic becomes susceptible to code injection attacks. The vulnerability's impact extends beyond simple template rendering, as it allows attackers to execute arbitrary Node.js code with the privileges of the backend server process. This creates a severe security risk for applications that dynamically compile templates using user-provided data without proper sanitization. The attack vector aligns with ATT&CK technique T1059.006, "Command and Scripting Interpreter: Python", as the vulnerability enables execution of arbitrary code through template manipulation rather than traditional command injection methods.
The operational impact of this vulnerability is substantial for organizations using Pug in their web applications, particularly those that accept user input for template compilation or parameter processing. Applications that dynamically process user requests containing template parameters become immediately vulnerable to remote code execution attacks, potentially leading to complete server compromise, data exfiltration, and further lateral movement within network infrastructure. The vulnerability affects multiple packages within the pug ecosystem, including both the main pug package and pug-code-gen, requiring coordinated patching efforts across affected dependencies. Security teams must conduct comprehensive vulnerability assessments to identify all applications utilizing vulnerable versions of these packages and ensure proper input validation and sanitization practices are implemented.
Organizations should implement immediate mitigations including upgrading to the fixed versions of pug (3.0.1) and pug-code-gen (2.0.3), while also establishing robust input validation procedures to prevent untrusted data from reaching the pug compilation pipeline. The vulnerability's exploitability is directly tied to improper application design patterns where user input is not properly sanitized before being used in template compilation contexts. Security measures should include implementing strict parameter validation, using template pre-compilation techniques where possible, and establishing proper input sanitization routines. Additionally, organizations should consider implementing network segmentation and monitoring for suspicious code execution patterns, as the vulnerability could enable attackers to establish persistent access through the executed malicious code. The remediation approach should align with security best practices outlined in OWASP Top 10 2021, specifically addressing injection vulnerabilities and ensuring proper input handling in web applications.