Vulnerability-Lookup

GHSA-X597-9FR4-5857

Vulnerability from github – Published: 2026-05-06 20:59 – Updated: 2026-05-13 16:42

Summary

Hugo's Node tool execution allows file system access outside the project directory

Details

Impact

When building a Hugo site that uses Node-based asset pipelines (PostCSS, Babel, TailwindCSS), Hugo invoked the configured Node tools without restrictions on file system access. As a result, executing hugo against an untrusted site could allow code running through these tools to read or write files outside the project's working directory.

Users who do not use PostCSS, Babel, or TailwindCSS, or who only build trusted sites, are not affected.

Patches

From v0.161.0, Hugo runs Node tools under Node's permission model with strict defaults: No write access and only read access to the site source directories and files.

Workarounds

Block these tools in security.exec.allow.

Severity

6.2 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gohugoio/hugo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.43.0"
            },
            {
              "fixed": "0.161.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44301"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T20:59:23Z",
    "nvd_published_at": "2026-05-12T22:16:36Z",
    "severity": "MODERATE"
  },
  "details": "## Impact \nWhen building a Hugo site that uses Node-based asset pipelines (PostCSS, Babel, TailwindCSS), Hugo invoked the configured Node tools without restrictions on file system access. As a result, executing hugo against an untrusted site could allow code running through these tools to read or write files outside the project\u0027s working directory.\n\nUsers who do not use PostCSS, Babel, or TailwindCSS, or who only build trusted sites, are not affected.\n\n## Patches\nFrom `v0.161.0`, Hugo runs Node tools under Node\u0027s permission model with strict defaults: No write access and only read access to the site source directories and files.\n\n## Workarounds\nBlock these tools in [security.exec.allow](https://gohugo.io/configuration/security/).",
  "id": "GHSA-x597-9fr4-5857",
  "modified": "2026-05-13T16:42:58Z",
  "published": "2026-05-06T20:59:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-x597-9fr4-5857"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44301"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gohugoio/hugo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Hugo\u0027s Node tool execution allows file system access outside the project directory"
}

CVE-2026-44301 (GCVE-0-2026-44301)

Vulnerability from cvelistv5 – Published: 2026-05-12 21:37 – Updated: 2026-05-13 12:13

Title

Hugo: Node tool execution allows file system access outside the project directory

Summary

Hugo is a static site generator. From 0.43 to before 0.161.0, when building a Hugo site that uses Node-based asset pipelines (PostCSS, Babel, TailwindCSS), Hugo invoked the configured Node tools without restrictions on file system access. As a result, executing hugo against an untrusted site could allow code running through these tools to read or write files outside the project's working directory. Users who do not use PostCSS, Babel, or TailwindCSS, or who only build trusted sites, are not affected. This vulnerability is fixed in 0.161.0.

Severity

6.2 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/gohugoio/hugo/security/advisor…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
gohugoio	hugo	Affected: >= 0.43.0, < 0.161.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44301",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T12:12:51.322209Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-13T12:13:13.152Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "hugo",
          "vendor": "gohugoio",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 0.43.0, \u003c 0.161.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Hugo is a static site generator. From 0.43 to before 0.161.0, when building a Hugo site that uses Node-based asset pipelines (PostCSS, Babel, TailwindCSS), Hugo invoked the configured Node tools without restrictions on file system access. As a result, executing hugo against an untrusted site could allow code running through these tools to read or write files outside the project\u0027s working directory. Users who do not use PostCSS, Babel, or TailwindCSS, or who only build trusted sites, are not affected. This vulnerability is fixed in 0.161.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.2,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-12T21:37:52.825Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/gohugoio/hugo/security/advisories/GHSA-x597-9fr4-5857",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/gohugoio/hugo/security/advisories/GHSA-x597-9fr4-5857"
        }
      ],
      "source": {
        "advisory": "GHSA-x597-9fr4-5857",
        "discovery": "UNKNOWN"
      },
      "title": "Hugo: Node tool execution allows file system access outside the project directory"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44301",
    "datePublished": "2026-05-12T21:37:52.825Z",
    "dateReserved": "2026-05-05T17:39:31.113Z",
    "dateUpdated": "2026-05-13T12:13:13.152Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted