Skip to main content

Hugo CVE-2026-58404

| EUVDEUVD-2026-41918 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-07-06 GitHub_M
4.6
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
4.6 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.3 MEDIUM

AC:H reflects dual prerequisites (cgo resolver and attacker-influenced URL); PR:L for contributor-level access; S:C and C:H for cloud-metadata credential exposure across system boundary.

3.1 AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 06, 2026 - 20:04 vuln.today

DescriptionCVE.org

Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses, including integer, hex, or octal, passed the policy. When a template passes an untrusted or data-derived URL to resources.GetRemote and the host platform uses the cgo system resolver, these encodings resolve to the blocked address, allowing build-time server-side requests to loopback and internal services, including the cloud-metadata endpoint in hosted or CI builds; the same check is reused on redirects, so the gap also applies to each redirect hop. This issue is fixed in v0.163.1.

AnalysisAI

Build-time SSRF in Hugo static site generator (v0.162.0-v0.163.0) allows bypass of the security.http.urls IP-block policy by supplying loopback or cloud-metadata addresses in alternate IPv4 encodings - integer, hex, or octal - that the deny rule does not recognize but the cgo system resolver silently normalizes and resolves. Templates invoking resources.GetRemote with attacker-influenced or data-derived URLs can reach internal services and cloud-metadata endpoints (e.g., AWS IMDSv1) at build time, a particularly acute risk in CI pipelines and hosted build services where instance credentials are accessible. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain contributor access to Hugo project repository
Delivery
Inject alternate-encoded IP (hex/int/octal) into template data or partial
Exploit
Build triggered in cloud CI pipeline with cgo resolver active
Execution
resources.GetRemote submits URL, policy check fails to match non-decimal encoding
Persist
Cgo resolver normalizes encoding and issues request to cloud-metadata or internal endpoint
Impact
Sensitive response (e.g., IAM credentials) returned to build process

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following conditions to be met simultaneously: (1) Hugo version exactly v0.162.0 or v0.163.0 - earlier and later versions are not affected; (2) the build must use the cgo-linked system resolver, not the pure-Go resolver (CGO_ENABLED=1 at build time, which is the default for most distributed Hugo binaries); (3) at least one site template must invoke `resources.GetRemote` with a URL value that is data-derived or otherwise influenced by an attacker rather than a hardcoded string; (4) the attacker must have a mechanism to inject an alternate-encoded IP address into that URL argument, such as contributor access to data files, configuration, or content front matter. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official CVSS 4.0 score is 4.6 (CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with write access to a Hugo project's data directory or a partial template contributes a URL argument to `resources.GetRemote` using the decimal-integer encoding of 169.254.169.254 (i.e., 2852039166). When the CI pipeline triggers a Hugo build on a cloud instance - such as GitHub Actions running on AWS - the policy check passes because the integer form is not matched by the deny rule, and the cgo resolver issues an HTTP GET to the cloud metadata endpoint, potentially returning IAM role credentials that are then embedded in the build output or logged. …
Remediation The primary fix is to upgrade to Hugo v0.163.1, which corrects the IPv4 encoding check to cover decimal-integer, hexadecimal, and octal representations. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-58404 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy