GHSA-R46F-3RPW-HXRV
Vulnerability from github – Published: 2026-06-19 19:18 – Updated: 2026-06-19 19:18Impact
The default security.http.urls policy denies requests to loopback, internal,
and cloud-metadata IPv4 literals (e.g. http://127.0.0.1/,
http://169.254.169.254/). The deny rule only matched dotted-decimal notation,
so alternate IPv4 encodings of the same addresses — integer, hex, or octal,
which contain no dot — passed the policy:
http://2130706433/→127.0.0.1http://2852039166/→169.254.169.254(cloud metadata)http://0x7f000001/,http://017700000001/,http://0/
When a template passes an untrusted or data-derived URL to
resources.GetRemote and the host platform uses the
cgo system resolver, these encodings resolve to the blocked address — allowing
build-time server-side requests to loopback and internal services, including the
cloud-metadata endpoint in hosted/CI builds. The same check is reused on
redirects, so the gap also applies to each redirect hop.
This affects sites that rely on security.http.urls as a security boundary
while fetching attacker-influenced remote URLs; it does not affect sites that
fully trust the URLs they fetch.
### Patches
Fixed in v0.163.1. Integer/hex/octal IPv4 hosts are now canonicalized to dotted-decimal before the policy is applied, so every encoding of an address is treated alike. No configuration change is required.
### Workarounds
Avoid passing untrusted URLs to resources.GetRemote, or
tighten security.http.urls to an explicit allow-list of trusted hosts.
### Affected versions
v0.162.0 – v0.163.0 (patched in v0.163.1).
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/gohugoio/hugo"
},
"ranges": [
{
"events": [
{
"introduced": "0.162.0"
},
{
"fixed": "0.163.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-19T19:18:14Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\n\n The default `security.http.urls` policy denies requests to loopback, internal,\n and cloud-metadata IPv4 literals (e.g. `http://127.0.0.1/`,\n `http://169.254.169.254/`). The deny rule only matched dotted-decimal notation,\n so alternate IPv4 encodings of the same addresses \u2014 integer, hex, or octal,\n which contain no dot \u2014 passed the policy:\n\n - `http://2130706433/` \u2192 `127.0.0.1`\n - `http://2852039166/` \u2192 `169.254.169.254` (cloud metadata)\n - `http://0x7f000001/`, `http://017700000001/`, `http://0/`\n\n When a template passes an untrusted or data-derived URL to\n `resources.GetRemote` and the host platform uses the\n cgo system resolver, these encodings resolve to the blocked address \u2014 allowing\n build-time server-side requests to loopback and internal services, including the\n cloud-metadata endpoint in hosted/CI builds. The same check is reused on\n redirects, so the gap also applies to each redirect hop.\n\n This affects sites that rely on `security.http.urls` as a security boundary\n while fetching attacker-influenced remote URLs; it does not affect sites that\n fully trust the URLs they fetch.\n\n ### Patches\n\n Fixed in **v0.163.1**. Integer/hex/octal IPv4 hosts are now canonicalized to\n dotted-decimal before the policy is applied, so every encoding of an address is\n treated alike. No configuration change is required.\n\n ### Workarounds\n\n Avoid passing untrusted URLs to `resources.GetRemote`, or\n tighten `security.http.urls` to an explicit allow-list of trusted hosts.\n\n ### Affected versions\n\n v0.162.0 \u2013 v0.163.0 (patched in v0.163.1).",
"id": "GHSA-r46f-3rpw-hxrv",
"modified": "2026-06-19T19:18:14Z",
"published": "2026-06-19T19:18:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-r46f-3rpw-hxrv"
},
{
"type": "PACKAGE",
"url": "https://github.com/gohugoio/hugo"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Hugo: security.http.urls deny rules bypassed by alternate IPv4 encodings (SSRF)"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.