Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AC:H reflects dual prerequisites (cgo resolver and attacker-influenced URL); PR:L for contributor-level access; S:C and C:H for cloud-metadata credential exposure across system boundary.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses, including integer, hex, or octal, passed the policy. When a template passes an untrusted or data-derived URL to resources.GetRemote and the host platform uses the cgo system resolver, these encodings resolve to the blocked address, allowing build-time server-side requests to loopback and internal services, including the cloud-metadata endpoint in hosted or CI builds; the same check is reused on redirects, so the gap also applies to each redirect hop. This issue is fixed in v0.163.1.
AnalysisAI
Build-time SSRF in Hugo static site generator (v0.162.0-v0.163.0) allows bypass of the security.http.urls IP-block policy by supplying loopback or cloud-metadata addresses in alternate IPv4 encodings - integer, hex, or octal - that the deny rule does not recognize but the cgo system resolver silently normalizes and resolves. Templates invoking resources.GetRemote with attacker-influenced or data-derived URLs can reach internal services and cloud-metadata endpoints (e.g., AWS IMDSv1) at build time, a particularly acute risk in CI pipelines and hosted build services where instance credentials are accessible. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires all of the following conditions to be met simultaneously: (1) Hugo version exactly v0.162.0 or v0.163.0 - earlier and later versions are not affected; (2) the build must use the cgo-linked system resolver, not the pure-Go resolver (CGO_ENABLED=1 at build time, which is the default for most distributed Hugo binaries); (3) at least one site template must invoke `resources.GetRemote` with a URL value that is data-derived or otherwise influenced by an attacker rather than a hardcoded string; (4) the attacker must have a mechanism to inject an alternate-encoded IP address into that URL argument, such as contributor access to data files, configuration, or content front matter. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The official CVSS 4.0 score is 4.6 (CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with write access to a Hugo project's data directory or a partial template contributes a URL argument to `resources.GetRemote` using the decimal-integer encoding of 169.254.169.254 (i.e., 2852039166). When the CI pipeline triggers a Hugo build on a cloud instance - such as GitHub Actions running on AWS - the policy check passes because the integer form is not matched by the deny rule, and the cgo resolver issues an HTTP GET to the cloud metadata endpoint, potentially returning IAM role credentials that are then embedded in the build output or logged. … |
| Remediation | The primary fix is to upgrade to Hugo v0.163.1, which corrects the IPv4 encoding check to cover decimal-integer, hexadecimal, and octal representations. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Hugo is a fast and Flexible Static Site Generator built in Go. Rated high severity (CVSS 8.5), this vulnerability is rem
Symlink traversal in Hugo's virtual filesystem (v0.123.0-v0.163.0) allows a symlink planted inside a theme or local moun
Stored XSS in Hugo's default code-block renderer allows an attacker with Markdown contribution rights to inject arbitrar
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41918