Impact
A regression in Hugo between versions 0.123.0 and 0.161.1 caused the internal RootMappingFs.statRoot the contents of a file when the requested path was a symlink that pointed outside its intended mount point. The result is that an attacker who can supply or modify a local theme or other mounted content can read any file accessible to the Hugo process, a classic example of a local file read vulnerability (CWE-59).
Affected Systems
All installations of Hugo from 0.123.0 to 0.161.1 are affected. The flaw is relevant whenever a local mount, such as a vendored theme under themes/, contains a symlink that points to a file outside that directory. The issue is fixed starting with Hugo 0.162.0.
Risk and Exploitability
The vulnerability carries a CVSS score of 6.9, indicating moderate severity. No EPSS score is available, so its exploitation probability remains unknown, and it is not listed in CISA's KEV catalog. Exploitation requires the ability to place a sy a capability that exists when developers provide custom or third‑party themes. Once such a symlink is present, a call to resources.Get will expose the target file’s contents to the user running the build process.
OpenCVE Enrichment
Github GHSA