CVE-2024-36361: 
JavaScript vulnerability analysis and mitigation

Pug through version 3.0.2 contains a code injection vulnerability that allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileClientWithDependenciesTracked, and compileFileClient functions (NVD).

The vulnerability exists in the compileClient family of functions where the options.name parameter is passed into templateName without proper validation. This allows attackers to inject arbitrary JavaScript code through template name manipulation. The vulnerability is particularly concerning when these functions are used in conjunction with user-controlled input being passed directly to the options object (GitHub PR).

If exploited, this vulnerability could lead to client-side arbitrary JavaScript execution, potentially resulting in Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) attacks. In certain server-side configurations, it could even lead to Remote Code Execution (RCE) if the application exposes the vulnerable functions with user-controlled input (GitHub PR).

The vulnerability has been patched in Pug version 3.0.3. Users should upgrade to this version or later. The fix includes additional validation checks to restrict template names to alphanumeric characters and underscores. For those unable to upgrade immediately, it's recommended to ensure that user input is not passed directly to the options object of the compile functions (GitHub PR).