GHSA-VXGM-5RMG-5W8G

Vulnerability from github – Published: 2026-06-16 19:22 – Updated: 2026-06-16 19:22
VLAI
Summary
Hugo: security.http.urls allow-list bypass via HTTP redirects
Details

Commit: 86fbb0f7a8security: Validate redirects against security.http.urls Affected versions: v0.91.0 (when security.http.urls was introduced) through v0.161.1. Fixed in: v0.162.0. Severity: Only relevant for sites that rely on security.http.urls as a trust boundary — e.g. CI builds that fetch remote resources but want to constrain which hosts can be reached. Not an issue if you fully trust every URL passed to resources.GetRemote.

Description. resources.GetRemote enforces security.http.urls on the URL it is called with, but until v0.162.0 it did not re-validate intermediate URLs on HTTP 3xx redirects. An allowed server (or an attacker controlling its DNS or response) could therefore redirect the request to a host that the policy was meant to forbid — for example, http://localhost/ or an internal IP — and Hugo would fetch from the redirected target. The same bypass also lifted any host-shape restriction the operator had put in place.

Mitigation. v0.162.0 installs a CheckRedirect on the HTTP client used by resources.GetRemote that re-runs security.http.urls on every redirect target and caps the redirect chain at 10 hops. No configuration change is required.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gohugoio/hugo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.91.0"
            },
            {
              "fixed": "0.162.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-50134"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-16T19:22:37Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "**Commit:** [86fbb0f7a8](https://github.com/gohugoio/hugo/commit/86fbb0f7a8) \u2014 _security: Validate redirects against security.http.urls_\n**Affected versions:** v0.91.0 (when `security.http.urls` was introduced) through v0.161.1.\n**Fixed in:** v0.162.0.\n**Severity:** Only relevant for sites that rely on `security.http.urls` as a trust boundary \u2014 e.g. CI builds that fetch remote resources but want to constrain which hosts can be reached. Not an issue if you fully trust every URL passed to `resources.GetRemote`.\n\n**Description.** `resources.GetRemote` enforces `security.http.urls` on the URL it is called with, but until v0.162.0 it did not re-validate intermediate URLs on HTTP 3xx redirects. An allowed server (or an attacker controlling its DNS or response) could therefore redirect the request to a host that the policy was meant to forbid \u2014 for example, `http://localhost/` or an internal IP \u2014 and Hugo would fetch from the redirected target. The same bypass also lifted any host-shape restriction the operator had put in place.\n\n**Mitigation.** v0.162.0 installs a `CheckRedirect` on the HTTP client used by `resources.GetRemote` that re-runs `security.http.urls` on every redirect target and caps the redirect chain at 10 hops. No configuration change is required.",
  "id": "GHSA-vxgm-5rmg-5w8g",
  "modified": "2026-06-16T19:22:37Z",
  "published": "2026-06-16T19:22:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-vxgm-5rmg-5w8g"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gohugoio/hugo/commit/86fbb0f7a8bbb93e2e916390de9e5a4f24bf9f50"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gohugoio/hugo"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gohugoio/hugo/releases/tag/v0.162.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Hugo: security.http.urls allow-list bypass via HTTP redirects"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…