Listen to this Post
How the CVE works
When Hugo builds a site that uses Node‑based asset pipelines (PostCSS, Babel, or TailwindCSS), it spawns the configured Node tools via Go’s os/exec. In affected versions (≥0.43.0, <0.161.0), Hugo imposes no filesystem restrictions on these child processes. A malicious site author can therefore craft a postcss.config.js, babel.config.js, or similar script that, when executed by hugo, reads or writes arbitrary files outside the project’s working directory. Because Hugo simply invokes the tool without any permission sandbox, the Node script inherits the full filesystem access of the Hugo process. This allows path traversal attacks (CWE‑22) to steal sensitive files (e.g., /etc/passwd, SSH keys) or overwrite system files. The issue is triggered only when the user runs `hugo` on an untrusted site and the site uses one of the affected Node tools. The CVSS v4 score is 6.2 (Medium), with the vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U. The fix in v0.161.0 runs Node tools under Node’s own permission model with strict defaults: no write access, and read access only to the site source directories and files. A workaround is to block the tools completely using Hugo’s `security.exec.allow` configuration.
dailycve form
Platform: Hugo
Version: ≥0.43.0 <0.161.0
Vulnerability : Path Traversal
Severity: Moderate (CVSS 6.2)
date: 2026-05-06
Prediction: Already patched in v0.161.0
Analytics (What Undercode Say)
Check current Hugo version
hugo version
Test if the system is vulnerable (requires a malicious project)
hugo --config config.toml
An example malicious postcss.config.js that reads /etc/passwd
module.exports = {
plugins: [
() => {
const fs = require('fs');
console.log(fs.readFileSync('/etc/passwd', 'utf8'));
}
]
};
Upgrade to the patched version on Linux/macOS
go install github.com/gohugoio/[email protected]
Or on Windows (using winget)
winget upgrade Hugo.Hugo --version 0.161.0
Exploit
An attacker creates a Hugo site with a `postcss.config.js` that includes Node code reading `/etc/passwd` and writing it to a publicly accessible location. When a victim runs `hugo` to build the site, the file is exfiltrated.
Protection from this CVE
- Upgrade to Hugo v0.161.0 immediately.
- If upgrading is not possible, block dangerous tools via `security.exec.allow` (e.g., set
security.exec.allow = ['^(?!postcss|babel|tailwindcss)']). - Never run `hugo` on untrusted sites without code review.
- Use sandboxed environments (containers, VMs) for untrusted builds.
Impact
- Unauthorized reading of any file accessible by the Hugo process (e.g.,
/etc/passwd, application secrets, SSH keys). - Unauthorized writing/modification of files outside the project directory, potentially leading to system compromise.
- Complete confidentiality and integrity loss for the compromised host.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
