GHSA-fw87-fv5r-9fpwMedium

Hugo: Symlink confinement bypass in resources.Get

Published
June 16, 2026
Last Modified
June 16, 2026

🔗 CVE IDs covered (1)

📋 Description

Commit: f8b5fa09a6Fix prevention of direct symlink reads in resources.Get Affected versions: v0.123.0 through v0.161.1. Earlier versions are not affected. Fixed in: v0.162.0. Severity: Medium. Requires the attacker to be able to place (or convince a site author to place) a symlink inside a mounted directory — for example, inside a locally-vendored theme under themes/. Themes mounted as Go modules from GitHub have symlinks stripped on download and are not affected. Multi-directory walks (e.g. content/asset walking) were not affected either; only direct lookups via resources.Get followed symlinks.

Description. Hugo's virtual filesystem is designed so that files under a mount cannot reach outside the mount tree. A regression introduced in v0.123.0 caused RootMappingFs.statRoot to call Stat (which follows symlinks) instead of Lstat, so a direct resources.Get "somefile" where somefile was a symlink pointing outside the mount would return the target's contents. This effectively let a symlink planted inside a theme or local mount read arbitrary files reachable to the user running hugo.

Mitigation. v0.162.0 calls LstatIfPossible and rejects symlinked entries with os.ErrNotExist, matching the behaviour of pre-v0.123.0 releases and of the directory-walking code paths.

🎯 Affected products1

  • go/github.com/gohugoio/hugo:>= 0.123.0, < 0.162.0

🔗 References (4)