{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/build-time/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Hugo"],"_cs_severities":["high"],"_cs_tags":["ssrf","vulnerability","hugo","build-time","webserver"],"_cs_type":"advisory","_cs_vendors":["gohugoio"],"content_html":"\u003cp\u003eA significant Server-Side Request Forgery (SSRF) vulnerability, impacting Hugo versions 0.162.0 through 0.163.0, allows attackers to bypass the \u003ccode\u003esecurity.http.urls\u003c/code\u003e policy. This policy is intended to prevent Hugo from making requests to sensitive internal, loopback, or cloud-metadata IPv4 addresses during site generation, especially when processing untrusted URLs via \u003ccode\u003eresources.GetRemote\u003c/code\u003e. The bypass occurs because the denial rule only recognized IPv4 addresses in standard dotted-decimal format, failing to catch alternate encodings such as integer, hexadecimal, or octal representations. This flaw can lead to build-time server-side requests to internal infrastructure or cloud metadata endpoints when a host platform utilizes the \u003ccode\u003ecgo\u003c/code\u003e system resolver, enabling potential information disclosure or unauthorized internal network access during CI/CD processes or other build environments. The vulnerability was patched in Hugo v0.163.1, which canonicalizes IPv4 hosts to dotted-decimal before applying the policy.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access / Injection\u003c/strong\u003e: An attacker injects a specially crafted URL containing an alternate IPv4 encoding (e.g., \u003ccode\u003ehttp://2130706433/\u003c/code\u003e for \u003ccode\u003e127.0.0.1\u003c/code\u003e or \u003ccode\u003ehttp://2852039166/\u003c/code\u003e for cloud metadata) into a Hugo template or data source.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerable Processing\u003c/strong\u003e: During a Hugo site build, a template attempts to fetch content from this untrusted URL using the \u003ccode\u003eresources.GetRemote\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePolicy Bypass Attempt\u003c/strong\u003e: Hugo's \u003ccode\u003esecurity.http.urls\u003c/code\u003e policy is consulted to determine if the URL should be denied, but it only checks for dotted-decimal IPv4 formats.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEncoding Misinterpretation\u003c/strong\u003e: Due to the vulnerability, the policy fails to recognize the integer, hexadecimal, or octal IPv4 encoding as a disallowed internal, loopback, or cloud-metadata address.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDNS/Resolver Resolution\u003c/strong\u003e: The host platform's \u003ccode\u003ecgo\u003c/code\u003e system resolver resolves the alternate IPv4 encoding (e.g., \u003ccode\u003e2130706433\u003c/code\u003e) to its standard dotted-decimal equivalent (\u003ccode\u003e127.0.0.1\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInternal Request Execution\u003c/strong\u003e: Hugo proceeds to make an outbound HTTP GET request to the now-resolved internal IP address (e.g., \u003ccode\u003e127.0.0.1\u003c/code\u003e, \u003ccode\u003e169.254.169.254\u003c/code\u003e, or another internal service).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInformation Disclosure/Internal Access\u003c/strong\u003e: The build environment's internal services or cloud metadata endpoint respond to Hugo's request, potentially disclosing sensitive configuration data, credentials, or allowing access to internal resources that should have been protected.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe primary impact of this vulnerability is the potential for Server-Side Request Forgery (SSRF) during the Hugo site build process. If exploited, an attacker can coerce the build server to make outbound HTTP requests to arbitrary internal network resources, including loopback addresses, internal hosts, or cloud metadata endpoints (e.g., \u003ccode\u003e169.254.169.254\u003c/code\u003e). This can lead to the exposure of sensitive information such as cloud instance credentials, internal network topology, or other confidential data accessible from the build environment. While no specific victim counts or sectors were noted, organizations using Hugo in CI/CD pipelines or environments where untrusted content influences builds are at risk of unauthorized data access and potential lateral movement within their internal infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Hugo to version \u003cstrong\u003ev0.163.1\u003c/strong\u003e or newer immediately to apply the patch that correctly canonicalizes IPv4 addresses.\u003c/li\u003e\n\u003cli\u003eReview CI/CD pipeline configurations and Hugo site templates to avoid passing untrusted or data-derived URLs directly to \u003ccode\u003eresources.GetRemote\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eHarden \u003ccode\u003esecurity.http.urls\u003c/code\u003e in Hugo configurations to implement an explicit allow-list of trusted hosts for \u003ccode\u003eresources.GetRemote\u003c/code\u003e calls.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to detect unexpected outbound network connections from build servers and similar environments.\u003c/li\u003e\n\u003cli\u003eEnsure network connection logging is enabled on build servers and developer workstations to capture attempts to access internal or cloud metadata IPs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-19T19:22:40Z","date_published":"2026-06-19T19:22:40Z","id":"https://feed.craftedsignal.io/briefs/2026-06-hugo-ssrf-bypass/","summary":"A Server-Side Request Forgery (SSRF) vulnerability exists in Hugo versions 0.162.0 through 0.163.0, where the 'security.http.urls' policy designed to deny requests to loopback, internal, and cloud-metadata IPv4 literals could be bypassed as the policy only matched dotted-decimal notation, allowing alternate IPv4 encodings (integer, hex, octal) to pass, enabling build-time server-side requests to internal services and cloud-metadata endpoints when untrusted or data-derived URLs are passed to 'resources.GetRemote'.","title":"Hugo security.http.urls Bypass via Alternate IPv4 Encodings (SSRF)","url":"https://feed.craftedsignal.io/briefs/2026-06-hugo-ssrf-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Build-Time","version":"https://jsonfeed.org/version/1.1"}