Hugo: security.http.urls allow-list bypass via HTTP redirects
- When
- Where
- Global (internet)
- Category
- cyber_advisory · go
**Commit:** [86fbb0f7a8](https://github.com/gohugoio/hugo/commit/86fbb0f7a8) — _security: Validate redirects against security.http.urls_ **Affected versions:** v0.91.0 (when `security.http.urls` was introduced) through v0.161.1. **Fixed in:** v0.162.0. **Severity:** Only relevant for sites that rely on `security.http.urls` as a trust boundary — e.g. CI builds that fetch remote resources but want to constrain which hosts can be reached. Not an issue if you fully trust every URL passed to `resources.GetRemote`. **Description.** `resources.GetRemote` enforces `security.http.urls` on the URL it is called with, but until v0.162.0 it did not re-validate intermediate URLs on HTTP 3xx redirects. An allowed server (or an attacker controlling its DNS or response) could therefore redirect the request to a host that the policy was meant to forbid — for example, `http://localhost/` or an internal IP — and Hugo would fetch from the redirected target. The same bypass also lifted any host-shape restriction the operator had put in place. **Mitigation.** v0.162.0 installs a `CheckRedirect` on the HTTP client used by `resources.GetRemote` that re-runs `security.http.urls` on every redirect target and caps the redirect chain at 10 hops. No configuration change is required.
Sources
- GitHub Advisory Database ↗ · first seen 2026-06-16 19:22 UTC
Defaxon links out to the original reporting and never republishes article text.
Correlated events
Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.