Hugo Node Tool Execution Vulnerability Allowing Unauthorized File System Access

A vulnerability in Hugo, a static site generator, exists in versions 0.43 prior to 0.161.0. When building sites that utilize Node-based asset pipelines such as PostCSS, Babel, or TailwindCSS, Hugo executed the specified Node tools without proper restrictions on file system access. This lack of restriction could enable code processed by these tools to read or write files outside the project's working directory. The vulnerability does not affect users who build only trusted sites or those who do not use the mentioned asset pipelines.

Impact

Exploitation of this vulnerability could lead to unauthorized reading or writing of files outside the project's working directory, potentially allowing sensitive information to be accessed or modified.

Remediation

Users can update to Hugo version 0.161.0 or later, where Node tools are executed under Node's permission model with strict defaults, allowing no write access and only read access to the site source directories and files. Alternatively, users can block PostCSS, Babel, and TailwindCSS in the security.exec.allow configuration.