pug-3.0.2.tgz: 2 vulnerabilities (highest severity is: 9.9) #68
Description
Vulnerable Library - pug-3.0.2.tgz
Path to dependency file: /apps/package.json
Path to vulnerable library: /apps/package.json
Found in HEAD commit: 67e0064a6ec67840f7b7e9e817e2d4f93d73b642
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (pug version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2025-13465 |  Critical |
9.9 | lodash-4.17.21.tgz | Transitive | N/A* | ❌ |
| CVE-2021-23343 |  Medium |
5.3 | path-parse-1.0.6.tgz | Transitive | 3.0.3-canary-14 | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-13465
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /apps/package.json
Path to vulnerable library: /apps/package.json
Dependency Hierarchy:
- pug-3.0.2.tgz (Root Library)
- pug-filters-4.0.0.tgz
- constantinople-4.0.1.tgz
- types-7.12.17.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
- types-7.12.17.tgz
- constantinople-4.0.1.tgz
- pug-filters-4.0.0.tgz
Found in HEAD commit: 67e0064a6ec67840f7b7e9e817e2d4f93d73b642
Found in base branch: develop
Vulnerability Details
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
The issue permits deletion of properties but does not allow overwriting their original behavior.
This issue is patched on 4.17.23
Publish Date: 2026-01-21
URL: CVE-2025-13465
CVSS 3 Score Details (9.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-xxjr-mmjv-4gpg
Release Date: 2026-01-21
Fix Resolution: lodash-amd - 4.17.23,lodash - 4.17.23,lodash-es - 4.17.23
Step up your Open Source Security Game with Mend here
CVE-2021-23343
Vulnerable Library - path-parse-1.0.6.tgz
Node.js path.parse() ponyfill
Library home page: https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz
Path to dependency file: /apps/package.json
Path to vulnerable library: /apps/package.json
Dependency Hierarchy:
- pug-3.0.2.tgz (Root Library)
- pug-filters-4.0.0.tgz
- resolve-1.20.0.tgz
- ❌ path-parse-1.0.6.tgz (Vulnerable Library)
- resolve-1.20.0.tgz
- pug-filters-4.0.0.tgz
Found in HEAD commit: 67e0064a6ec67840f7b7e9e817e2d4f93d73b642
Found in base branch: develop
Vulnerability Details
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
Publish Date: 2021-05-04
URL: CVE-2021-23343
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2021-05-04
Fix Resolution (path-parse): 1.0.7
Direct dependency fix Resolution (pug): 3.0.3-canary-14
Step up your Open Source Security Game with Mend here