From version 0.43 up to, but not including, 0.161.0, Hugo built sites that use Node‑based asset pipelines (PostCSS, Babel, and TailwindCSS) executed the configured Node tools without any restriction on file system access. Consequently, running the Hugo build process against a site that incorporates untrusted content could allow the code executed by those Node tools to read or modify any file that the build user can access, including files outside the project’s working directory. The weakness is a classic directory traversal issue documented as CWE‑22, exposing the host system to arbitrary file read or write operations that could compromise confidentiality, integrity, or availability.

The vulnerability is present in Hugo versions from 0.43 up to, but not including, 0.161.0. The affected product is the Hugo static site generator provided by the gohugoio organization. Users who do not incorporate Node‑based pipelines such as PostCSS, Babel, or TailwindCSS, or who only build sites that originate from trusted sources, are effectively not impacted.

With a CVSS score of 6.2 the flaw represents a moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating no publicly known, widespread exploitation at this time. The likely attack path consists of deploying or building a Hugo site that incorporates untrusted source content and employs the vulnerable asset pipeline. When Hugo processes such a site, the Node tools execute without sandboxing and can read or write any file the build process user can access, allowing potential data theft or code injection into the host’s environment.