Hugo - CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/hugo/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 19 Jun 2026 19:22:40 +0000Hugo security.http.urls Bypass via Alternate IPv4 Encodings (SSRF)https://feed.craftedsignal.io/briefs/2026-06-hugo-ssrf-bypass/Fri, 19 Jun 2026 19:22:40 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-06-hugo-ssrf-bypass/A Server-Side Request Forgery (SSRF) vulnerability exists in Hugo versions 0.162.0 through 0.163.0, where the 'security.http.urls' policy designed to deny requests to loopback, internal, and cloud-metadata IPv4 literals could be bypassed as the policy only matched dotted-decimal notation, allowing alternate IPv4 encodings (integer, hex, octal) to pass, enabling build-time server-side requests to internal services and cloud-metadata endpoints when untrusted or data-derived URLs are passed to 'resources.GetRemote'.A significant Server-Side Request Forgery (SSRF) vulnerability, impacting Hugo versions 0.162.0 through 0.163.0, allows attackers to bypass the security.http.urls policy. This policy is intended to prevent Hugo from making requests to sensitive internal, loopback, or cloud-metadata IPv4 addresses during site generation, especially when processing untrusted URLs via resources.GetRemote. The bypass occurs because the denial rule only recognized IPv4 addresses in standard dotted-decimal format, failing to catch alternate encodings such as integer, hexadecimal, or octal representations. This flaw can lead to build-time server-side requests to internal infrastructure or cloud metadata endpoints when a host platform utilizes the cgo system resolver, enabling potential information disclosure or unauthorized internal network access during CI/CD processes or other build environments. The vulnerability was patched in Hugo v0.163.1, which canonicalizes IPv4 hosts to dotted-decimal before applying the policy.

Attack Chain

  1. Initial Access / Injection: An attacker injects a specially crafted URL containing an alternate IPv4 encoding (e.g., http://2130706433/ for 127.0.0.1 or http://2852039166/ for cloud metadata) into a Hugo template or data source.
  2. Vulnerable Processing: During a Hugo site build, a template attempts to fetch content from this untrusted URL using the resources.GetRemote function.
  3. Policy Bypass Attempt: Hugo's security.http.urls policy is consulted to determine if the URL should be denied, but it only checks for dotted-decimal IPv4 formats.
  4. Encoding Misinterpretation: Due to the vulnerability, the policy fails to recognize the integer, hexadecimal, or octal IPv4 encoding as a disallowed internal, loopback, or cloud-metadata address.
  5. DNS/Resolver Resolution: The host platform's cgo system resolver resolves the alternate IPv4 encoding (e.g., 2130706433) to its standard dotted-decimal equivalent (127.0.0.1).
  6. Internal Request Execution: Hugo proceeds to make an outbound HTTP GET request to the now-resolved internal IP address (e.g., 127.0.0.1, 169.254.169.254, or another internal service).
  7. Information Disclosure/Internal Access: The build environment's internal services or cloud metadata endpoint respond to Hugo's request, potentially disclosing sensitive configuration data, credentials, or allowing access to internal resources that should have been protected.

Impact

The primary impact of this vulnerability is the potential for Server-Side Request Forgery (SSRF) during the Hugo site build process. If exploited, an attacker can coerce the build server to make outbound HTTP requests to arbitrary internal network resources, including loopback addresses, internal hosts, or cloud metadata endpoints (e.g., 169.254.169.254). This can lead to the exposure of sensitive information such as cloud instance credentials, internal network topology, or other confidential data accessible from the build environment. While no specific victim counts or sectors were noted, organizations using Hugo in CI/CD pipelines or environments where untrusted content influences builds are at risk of unauthorized data access and potential lateral movement within their internal infrastructure.

Recommendation

  • Upgrade Hugo to version v0.163.1 or newer immediately to apply the patch that correctly canonicalizes IPv4 addresses.
  • Review CI/CD pipeline configurations and Hugo site templates to avoid passing untrusted or data-derived URLs directly to resources.GetRemote.
  • Harden security.http.urls in Hugo configurations to implement an explicit allow-list of trusted hosts for resources.GetRemote calls.
  • Deploy the provided Sigma rules to detect unexpected outbound network connections from build servers and similar environments.
  • Ensure network connection logging is enabled on build servers and developer workstations to capture attempts to access internal or cloud metadata IPs.
]]>highadvisoryssrfvulnerabilityhugobuild-timewebserver