CVE-2026-58404 in Hugoinfo

Summary

by MITRE • 07/06/2026

Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses, including integer, hex, or octal, passed the policy. When a template passes an untrusted or data-derived URL to resources.GetRemote and the host platform uses the cgo system resolver, these encodings resolve to the blocked address, allowing build-time server-side requests to loopback and internal services, including the cloud-metadata endpoint in hosted or CI builds; the same check is reused on redirects, so the gap also applies to each redirect hop. This issue is fixed in v0.163.1.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/06/2026

This vulnerability affects Hugo static site generator versions 0.162.0 through 0.163.0 and represents a critical security flaw in the HTTP URL policy implementation. The issue stems from an incomplete validation mechanism that only recognizes dotted-decimal IPv4 notation when blocking loopback and internal addresses, leaving alternate numeric representations unfiltered. This oversight creates a significant bypass opportunity where attackers can exploit various IPv4 encoding formats to circumvent security restrictions.

The technical flaw manifests in the default security.http.urls policy which was designed to prevent requests to sensitive IP ranges including 127.0.0.1 and other internal addresses. However, the validation logic failed to account for integer, hexadecimal, or octal representations of the same IP addresses, allowing these alternate encodings to pass through the filter. When templates utilize resources.GetRemote with untrusted URLs and the host platform employs the cgo system resolver, these encoded addresses resolve to their blocked counterparts, enabling unauthorized access to internal services during build-time operations.

The operational impact extends beyond simple bypass scenarios as this vulnerability affects not only direct requests but also follows redirects through the same flawed validation mechanism. This means that any redirect hop in a chain could potentially exploit the same vulnerability, amplifying the attack surface significantly. The issue is particularly dangerous in hosted environments or CI/CD builds where cloud-metadata endpoints are accessible, as it could enable attackers to extract sensitive information from these services during the build process.

This vulnerability aligns with CWE-20 Improper Input Validation and specifically relates to CWE-284 Improper Access Control in the context of network address validation. The attack pattern follows ATT&CK technique T1566.002 Phishing via Service Provider and T1071.004 Application Layer Protocol: Web Protocols, as it exploits web-based URL handling mechanisms to gain unauthorized access. The flaw represents a classic case of insufficient sanitization where multiple representations of the same value are not properly normalized before validation checks are applied.

The remediation involves upgrading to Hugo version 0.163.1 which implements comprehensive IPv4 address normalization and validation across all numeric representations. Organizations should also consider implementing additional monitoring for suspicious URL patterns during build processes, particularly when external resources are being fetched. Security teams should review existing build configurations to ensure that no untrusted URLs are processed through resources.GetRemote functions without proper validation, and consider implementing network segmentation to limit access to internal services even if bypasses occur.

Responsible

GitHub M

Reservation

06/30/2026

Disclosure

07/06/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!