High-Severity Code Injection Vulnerability in email-templates Dependency Chain

[saravanan-karthikeyan]

Describe the bug

Node.js version: v18.20.0
OS version: Ubuntu 22.04.3 LTS

Description:
The email-templates library introduces a high-severity vulnerability related to improper control of the generation of code ('Code Injection'). This issue is traced to the pug-code-gen@3.0.3 dependency, which is indirectly included through preview-email@3.0.19 and pug@3.0.3.

Actual behavior

The pug-code-gen package in its current version is susceptible to code injection, which could potentially allow attackers to execute arbitrary code within the context of the application using email-templates.

Expected behavior

Dependencies should not introduce vulnerabilities that compromise the security of the application. The email-templates library should update or replace the vulnerable dependency to prevent potential exploitation.

Code to reproduce

{
  "dependencies": {
    "email-templates": "11.1.1"
  }
}

Running a security scan with tools like Snyk will reveal the vulnerability:

snyk test

Example output:

✗ Improper Control of Generation of Code ('Code Injection') [High Severity] [https://security.snyk.io/vuln/SNYK-JS-PUGCODEGEN-7086056] in pug-code-gen@3.0.3
introduced by email-templates@11.1.1 > preview-email@3.0.19 > pug@3.0.3 > pug-code-gen@3.0.3
No upgrade or patch available

Checklist

• [x] I have searched through GitHub issues for similar issues.
• [x] I have completely read through the README and documentation.
• [x] I have tested my code with the latest version of Node.js and this package and confirmed it is still not working.

---