Impact
From version 0.123.0 through 0.163.0, Hugo's virtual filesystem was intended to prevent files within a mount from accessing files outside that mount tree. A regression caused the RootMappingFs.statRoot function to call Stat, which follows symbolic links, instead of Lstat. As a result, a call to os.ReadFile on a symlink that points to a file outside the mount returned the contents of the target file. This allows a user running Hugo to read any file reachable by the build process, such as configuration files or credentials.
Affected Systems
The vulnerability impacts the Hugo static site generator released by gohugoio. It affects all versions from 0.123.0 up to and including 0.163.0. The issue is fixed in release 0.163.1 and later.
Risk and Exploitability
The CVSS score of 5.9 indicates moderate severity. The EPSS score of < 1% points to a very low but non-zero exploitation probability, and the vulnerability is not listed in CISA KEV. The flaw is exploitable only in a local context where the build process has write access to the mount tree and the attacker can place a symlink that points outside the mount. An attacker would need to supply a malicious theme or content with such a symlink, then run Hugo to read arbitrary files that the process can access.
OpenCVE Enrichment