Create, preview (browser/iOS Simulator), and send custom email templates for Node.js. Made for @forwardemail, @ladjs, @cabinjs, @spamscanner, and @breejs.
Node.js version: v18.20.0 OS version: Ubuntu 22.04.3 LTS
Description:
The email-templates library introduces a high-severity vulnerability related to improper control of the generation of code ('Code Injection'). This issue is traced to the pug-code-gen@3.0.3 dependency, which is indirectly included through preview-email@3.0.19 and pug@3.0.3.
Actual behavior
The pug-code-gen package in its current version is susceptible to code injection, which could potentially allow attackers to execute arbitrary code within the context of the application using email-templates.
Expected behavior
Dependencies should not introduce vulnerabilities that compromise the security of the application. The email-templates library should update or replace the vulnerable dependency to prevent potential exploitation.
Running a security scan with tools like Snyk will reveal the vulnerability:
snyk test
Example output:
✗ Improper Control of Generation of Code ('Code Injection') [High Severity] [https://security.snyk.io/vuln/SNYK-JS-PUGCODEGEN-7086056] in pug-code-gen@3.0.3
introduced by email-templates@11.1.1 > preview-email@3.0.19 > pug@3.0.3 > pug-code-gen@3.0.3
No upgrade or patch available
Checklist
[x] I have searched through GitHub issues for similar issues.
[x] I have completely read through the README and documentation.
[x] I have tested my code with the latest version of Node.js and this package and confirmed it is still not working.
Describe the bug
Node.js version: v18.20.0
OS version: Ubuntu 22.04.3 LTS
Description:
The
email-templates
library introduces a high-severity vulnerability related to improper control of the generation of code ('Code Injection'). This issue is traced to thepug-code-gen@3.0.3
dependency, which is indirectly included throughpreview-email@3.0.19
andpug@3.0.3
.Actual behavior
The
pug-code-gen
package in its current version is susceptible to code injection, which could potentially allow attackers to execute arbitrary code within the context of the application usingemail-templates
.Expected behavior
Dependencies should not introduce vulnerabilities that compromise the security of the application. The
email-templates
library should update or replace the vulnerable dependency to prevent potential exploitation.Code to reproduce
Running a security scan with tools like Snyk will reveal the vulnerability:
Example output:
Checklist