GHSA-R46F-3RPW-HXRV

Vulnerability from github – Published: 2026-06-19 19:18 – Updated: 2026-06-19 19:18
VLAI
Summary
Hugo: security.http.urls deny rules bypassed by alternate IPv4 encodings (SSRF)
Details

Impact

The default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals (e.g. http://127.0.0.1/, http://169.254.169.254/). The deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses — integer, hex, or octal, which contain no dot — passed the policy:

  • http://2130706433/127.0.0.1
  • http://2852039166/169.254.169.254 (cloud metadata)
  • http://0x7f000001/, http://017700000001/, http://0/

When a template passes an untrusted or data-derived URL to resources.GetRemote and the host platform uses the cgo system resolver, these encodings resolve to the blocked address — allowing build-time server-side requests to loopback and internal services, including the cloud-metadata endpoint in hosted/CI builds. The same check is reused on redirects, so the gap also applies to each redirect hop.

This affects sites that rely on security.http.urls as a security boundary while fetching attacker-influenced remote URLs; it does not affect sites that fully trust the URLs they fetch.

### Patches

Fixed in v0.163.1. Integer/hex/octal IPv4 hosts are now canonicalized to dotted-decimal before the policy is applied, so every encoding of an address is treated alike. No configuration change is required.

### Workarounds

Avoid passing untrusted URLs to resources.GetRemote, or tighten security.http.urls to an explicit allow-list of trusted hosts.

### Affected versions

v0.162.0 – v0.163.0 (patched in v0.163.1).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gohugoio/hugo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.162.0"
            },
            {
              "fixed": "0.163.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T19:18:14Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n\n  The default `security.http.urls` policy denies requests to loopback, internal,\n  and cloud-metadata IPv4 literals (e.g. `http://127.0.0.1/`,\n  `http://169.254.169.254/`). The deny rule only matched dotted-decimal notation,\n  so alternate IPv4 encodings of the same addresses \u2014 integer, hex, or octal,\n  which contain no dot \u2014 passed the policy:\n\n  - `http://2130706433/` \u2192 `127.0.0.1`\n  - `http://2852039166/` \u2192 `169.254.169.254` (cloud metadata)\n  - `http://0x7f000001/`, `http://017700000001/`, `http://0/`\n\n  When a template passes an untrusted or data-derived URL to\n  `resources.GetRemote` and the host platform uses the\n  cgo system resolver, these encodings resolve to the blocked address \u2014 allowing\n  build-time server-side requests to loopback and internal services, including the\n  cloud-metadata endpoint in hosted/CI builds. The same check is reused on\n  redirects, so the gap also applies to each redirect hop.\n\n  This affects sites that rely on `security.http.urls` as a security boundary\n  while fetching attacker-influenced remote URLs; it does not affect sites that\n  fully trust the URLs they fetch.\n\n  ### Patches\n\n  Fixed in **v0.163.1**. Integer/hex/octal IPv4 hosts are now canonicalized to\n  dotted-decimal before the policy is applied, so every encoding of an address is\n  treated alike. No configuration change is required.\n\n  ### Workarounds\n\n  Avoid passing untrusted URLs to `resources.GetRemote`, or\n  tighten `security.http.urls` to an explicit allow-list of trusted hosts.\n\n  ### Affected versions\n\n  v0.162.0 \u2013 v0.163.0 (patched in v0.163.1).",
  "id": "GHSA-r46f-3rpw-hxrv",
  "modified": "2026-06-19T19:18:14Z",
  "published": "2026-06-19T19:18:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-r46f-3rpw-hxrv"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gohugoio/hugo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Hugo: security.http.urls deny rules bypassed by alternate IPv4 encodings (SSRF)"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…