CVE-2026-58404
Received Received - Intake

Hugo Static Site Generator IPv4 Bypass in Security Policy

Vulnerability report for CVE-2026-58404, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: GitHub, Inc.

Description

Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses, including integer, hex, or octal, passed the policy. When a template passes an untrusted or data-derived URL to resources.GetRemote and the host platform uses the cgo system resolver, these encodings resolve to the blocked address, allowing build-time server-side requests to loopback and internal services, including the cloud-metadata endpoint in hosted or CI builds; the same check is reused on redirects, so the gap also applies to each redirect hop. This issue is fixed in v0.163.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-07
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
gohugoio hugo From 0.162.0 (inc) to 0.163.0 (inc)
gohugoio hugo 0.163.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in Hugo, a static site generator, involves a bypass of its security policy that blocks requests to certain internal IP addresses. The policy was designed to deny requests to loopback, internal, and cloud-metadata IPv4 addresses when expressed in standard dotted-decimal notation (e.g., 127.0.0.1). However, the vulnerability allowed alternate IPv4 address encodingsβ€”such as integer, hexadecimal, or octal formsβ€”to bypass these restrictions.

When a template passes an untrusted or data-derived URL to the resources.GetRemote function, and the host platform uses the cgo system resolver, these alternate encodings resolve to the blocked addresses, enabling unauthorized server-side requests to internal services. This includes access to sensitive endpoints like cloud-metadata in hosted or continuous integration builds. The vulnerability also applies to redirect hops because the same check is reused on redirects.

The issue was fixed in Hugo version 0.163.1 by normalizing all IPv4 address encodings to the standard dotted-decimal form before applying the security policy, ensuring consistent blocking of disallowed addresses.

Impact Analysis

This vulnerability can allow an attacker to perform server-side request forgery (SSRF) attacks by bypassing security restrictions on internal IP addresses. Specifically, it enables unauthorized build-time server-side requests to loopback, internal, and cloud-metadata endpoints.

Such unauthorized access could expose sensitive internal services or metadata endpoints, potentially leaking confidential information or enabling further attacks within the internal network or cloud environment.

The vulnerability affects hosted or continuous integration (CI) build environments where untrusted URLs might be processed, increasing the risk of exploitation in automated build pipelines.

Detection Guidance

This vulnerability involves bypassing security.http.urls deny rules through alternate IPv4 encodings such as integer, hexadecimal, or octal representations of loopback, internal, and cloud-metadata addresses.

Detection can focus on identifying requests or logs where URLs use non-standard IPv4 encodings that resolve to restricted addresses.

  • Inspect logs or network traffic for URLs containing integer (e.g., 2130706433), hex (e.g., 0x7f000001), or octal (e.g., 017700000001) IPv4 address formats.
  • Use network monitoring tools or packet capture utilities (e.g., tcpdump, Wireshark) to filter HTTP requests and analyze the host portion of URLs for alternate IPv4 encodings.
  • Example command to search logs for hex or integer IP encodings: grep -E '0x[0-9a-fA-F]+|[0-9]{7,10}' /path/to/logfile
  • Use scripting or parsing tools to normalize IP addresses in URLs to dotted-decimal form and check if they resolve to loopback or internal addresses.
Mitigation Strategies

The vulnerability is fixed in Hugo version 0.163.1 by canonicalizing IPv4 hosts to dotted-decimal notation before applying security policies.

Immediate mitigation steps include:

  • Upgrade Hugo to version 0.163.1 or later where the fix is implemented.
  • Avoid passing untrusted or data-derived URLs to resources.GetRemote to prevent SSRF risks.
  • Tighten the security.http.urls configuration by using an explicit allow-list rather than relying solely on deny rules.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58404. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart